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(7!) We, COMPAGNIE INTER- 
NATIONALE POUR L'INFORMATIQUE 
CU-HONEYWO-L^ULL (fomeriy <5>m. 
pagnie Honeywell-Bull), a French Body 
5 Corporate, of 94 Avenue Gambetta, Pans 
750l0, France, do hereby declare the 
invention, for which we pray that a patent 
may be granted to us, and the method by 
which it is to be performed, to be 
IQ particularly described in and by the 
following statement: — 

The present invention concerns 
apparatus for protecting the information in 
a virtual memory system in programmed 
15 data processing apparatus. 

Several schemes have been utilized in the 
past in order to protect information. Some 
of them are detailed by Robert M. Graham 
in a paper entitled "Protection in an 
20 Information Processing Utility", published 
in CACM (May 1968), 

This type of memory protection is 
inadequate for present day 
multiprogramming systems because there is 
25 no provision for gradations of privilege or 
gradations of accessability, and severely 
limits the control over access to 
information. There should be provisions for 
different access rights to the different types 
30 of information. A partial answer to this 
* problems is found in the concept of a 
memory having a segment as the unit of 
information to which access is controlled 
(see Patent Application No. 21630/74, 
35 (Serial No. 1,465,344), flied on 15 May 1974), 
Varying degrees of access to each segment 
is possible by providing for different types 
of privileges attached to each segment such 
as master/slave, write/no-write and 
40 cxecuie/non-cxecute. However, this 
method of protecting the privacy and 
integrity of information does not take into 
account the user of the information. Under 
(his type of protection, privilege is not 
45 accorded the user but the information 
being protected. Hence a user if he has 
access at all to a segment has access similar 
to all other users who have access to the 



segment. David C. Evans and Jean Yves 
LeClcrc in a paoer entitled "Address 50 
Mapping and the Control of Access in an 
Interactive Computer,'' SJCC J 967. 
recognized the problem and attempted a 
solution. Evans and LeOerc said in that 
article p. 23, *Thc user of a computing 55 
system should be able to interact arbitrarily 
with the system, bis own computing 
processes, and other users in a controlled 
manner. He should have access to a large 
information storage and retrieval system 60 
called the Tile system. The file system 
shoufd allow access by all users to 
information in a way which permits 
selectively controlled privacy and security 
of information. A user should be able to 65 
partition his computation into scmi- 
mdepcndent tasks having controlled 
communication and interaction among 
tasks. Such capability should reduce the 
human effort rebuked to construct, deln^ 70 
and modify programs and should make 
possible increased reliability of programs. 
The system should not arbitrarily limit the 
use of input/output equipment or limit 
input/output programming by the user". 75 
Evans and LeClcrc proposed conditioning 
access rights on the proccdure-in- 
exccution. The segment, under their 
proposal, is still the unit of information to 
which access is controlled; however, a 80 
segment's access control attributes are 
recorded substantially in a user-name 
•versus procedure tables whose entries are 
the access modes. Such a solution, 
however, has serious drawbacks. For one, 85 
the construction and updating of each 
segment's table of access control attributes 
presents a formidable task. For another* ' 
100 many uses of the segment and event 
occurrences must be foreseen. To 90 
overcome this problem access control by 
procedure-set was suggested. Under this 
suggestion, related procedures arc grouped 
mto "sets of procedures** and access righU 
10 segments is based on the identity of the 95 
set to which the procedure seeking access 



belongs. This method alleviated the 
problem of constructing and updating each 
segment's voluminous tables of access 
control attributes, but introduced the 
5 problem of determining to which set a given 
procedure belonged, particularly when a 
procedure was or could be a number of 
many sets. This nmbiguity in defining sets, 
and the possible transitions between sets 
10 makes the implementation of access 
control based on **sets of procedures** 
extremely difTicult. 

To overcome the difficulties encountered 
with the *'set'* technique a ring concept was 
15 developed. The ring concept groups the 
sets of procedures into nngs that can 
unambiguously be ordered by increasing 
power or level of privilege. By assigning a 
collection of sets to a collection of 
20 concentric rings, and assigning numbers to 
each ring with the smallest ring having the 
smallest number and each succeeding 
larger ring having a progressively greater 
number, different levels of privilege can 
25 then be unambiguously assigned to the user 
of a segment Under thb concept the 
innermost ring having the smallest number 
assigned to it has the greatest privilege. 
Hence it can be postulated that users in the 
30 lowest ring number can access information 
having higher ring numbers, but users in a 
higher ring number cannot access 
information having lower ring numbers or 
can access information in a lower ring 
35 number only in a specified manner. This 
palpable change or power or level of 
privilege with a change in rings is a concept 
which overcomes the objections associated 
to a change of .sets. 
40 Multics {Mtiltfplexed /nformation and 
Computing Service) is an operating system 
developed primarily by Massachusetts 
Institute of Technology, in cooperation 
with General Electric Co. and others ^fch 
45 first utilized the ring theory of protection in 
software on a converted Honeywell 635 
(Registered Trade Murk) computer and 
later on a Honeywell 645 (Registered Trade 
• Mark) computer. The Multics philosophy 
50 utilizes 64 rings of protection numbered as 
rings 0--63 and is set forth generally in a 
paper entitled "Access Control to the 
Multics Virtual Memory" published by 
Hone>^vcll Information Systems Inc. in the 
55 Multics Technical Papers, Order No. 
AG95, Rev. O. A more detailed description 
of Multics ring protection is to be found on 
chapter 4 of a book entitled **Thc Multics 
System: An Examination of its Structure*', 
60 by Elliott I. Organick, published by MIT 
Press, and also in the Multics System 
Programmers Manual 1969, MIT Project 
MAC. BricHy, the Multics system docs not 
utilize a "pure ring protection strategy" but 
65 rather employs the "ring bracket projection 



strategy" wherein a user*s access rights with 
respect to a given segment are encoded in 
an access-mode and a triple of ring number 
(rl, r2» r3) called the user's "ring brackets*' 
for a given segment. A quotation from 70 
pages 137 — 139 from the Multics Technical 
Paper entitled, "Access Control to the 
Multics Virtual Memory" sets out the rules 
and conditions for using and changing 
rings. 75 

This "ring protection concept" was first 
implemented with software techniques 
utilinng 64 separate rings. Subsequently an 
attempt was made to define a suitable 
hardware base for ring protection. The 80 
Honeywell 645 (Registered Trade Mark) 
computer represents a first such attempt 
The Honeywell 645 (Registered Trade 
Mark) system differs from the "ringed 
hardware" concepts described supra in 85 
several respects which when taken 
together, add up to the fact that the 
Honeywell 645 (Registered Trade Mark) is 
a 2-ni|g rather than a 64'cing machine, and 
has in lieu of a "ring register", a master 90 
mode and a slave mode, which imparts 
greater power to the processor when in 
master mode than when ia slave mode. 
"The access control field of the 645"$ SDW 
(se^ent descriptor word) contains no 95. 
mfonnation about rings; in particular its 
docs not contain ring brackets. It does, 
however, contain either 

a) access-mode information possibly 
including either of the two descriptors; 100 

accessible in master mode only, 
master mode orocedure: 

b) the specification of one of eight 
special 'directed* faults (traps) which is to 
occur whenever the segment descriptor 105 
word (SDW) is accessed. 

"The procedure is only *in master mode'' 
when executing a procedure whose SDW 
indicates a 'master mode procedure*. The 
processor may enter master mode while no 
executing a slave mode procedure by: 

faulting, 

taking (in interrupt**. 

"The 645 processor's access control 
machinery interprets the SDW during the ||5 
addressing cycle and causes the appropriate 
action lo occur depending on the SDW and 
(usually) on the attempted access, as 
follows: 

a. If the SDW implies a particular |20 
"directed fault", then that fault occun. 

b. Otherwise, if the SDW does not 
permit the attempted access, the 
appropriate access violation fault occurs. 

c. Otherwise, the SDW permits the p5 
attempted access and the access is 
performed. 

"When a fault occurs, the 645 enters 
master mode and transfers control to the 
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appropriate master mode fault handling 
procedure". (Access Control to the Multics 
Virtual Memory, supra pps. 157 — 158). 
Another paper by Michael D. Schroeder 

5 and Jerome H. Saltzer entitled "A 
Hardware Architecture for Implementing 
Protection Rings'* published in 
Communications of the ACM. March 1972 
Vol. IS, No. 3, sets forth background and 

10 theory of ring protection and describes a 
hardware implementation of *'ring 
protection**. 

Because the Multics and Honeywell 645 
version of ring protection was implemented 

15 mainly in software, considerable operating 
system supervisor overhead was entailed 
paiticulaHy when calls to greater or lesser 
power were made by trapping to a 
supervisor procedure. What was required 

20, was an access control mechanism which 
had ihc functional capability to perform 
effectively its information protection 
function, was relatively simple in operation, 
was economic to build, operate and 

25 maintain, and did not restrict programming 
generality. The Honeywell 6000 
(Registered Trade Mark) computer system 
met these rec|uircments by implementing 
most of the ring protection mechanism in 

30 hardware. Hence special access checking 
iogtc, integrated with the segmented 
aodressing hardware was provided to 
validate each virtual memory rdTerencCt 
and also some special instructions for 

35 changing the ring of execution. However 
certain portions of the ring system 
particularly outward calls and returns or 
calls to a lesser power and returns 
therefrom presented problems which 

40 required the ring protection function to be 
performed by transferring control to a 
supervisor. What is now needed are further 
improvements in hardware and techniques 
that will permit a full implementation of 

45 ring protection in hardware/firmware and 
will meet the criteria of functional 
capability, economy, simplicity and 
programming generality. 

Accordingly the present invention has for 

50 an object to provide an improved computer 
ring protection mechanism. 

Accordingly the present invention 
consists in an internally programmed data 
processing apparatus CPU having a virtual 

55 memory system, and being responsive to 
internally stored instruction words for 
processing information and having stored in 
said virtual memory system a plurality of 
dtfTcrent types of groups of information 

60 each information group-type associated 
with an address space bounded by a 
segment having adjustable bounds, and 
comprising means for protecting the 
information in said-virtual memory system 

65 from unauthorized users by restricting 



accessability to the information in 
accordance to levels of privilege, said 
means comprising in combination with an 
access checking mechanism: 

(a) first means arranged in operation to 70 
store in said virtual memory system at least 
one segment table comprismg a plurality of 
segment descriptors with eacn se^ent 
descriptor being associated with a 
predetermined one of said segments and 75 
each segment descriptor having a 
predetermined format containing an access 
mformation element and a base address 
element in predetermined positions of said 
format, said base address element being 80 
used for locating in said virtual memory 
system the starting location of a selected 
one of said segments, and said access 
information element for specifying the 
minimum level of privilege required for a g5 
predetermined type of access that is 
permitted in a selected one of said 
segments: 

(b) a plurality of second means having a 
predetermined format, communicating 90 
with said first means, arranged to store in a 
predetermined portion of said second 
means, a segment number SEG for 
identifying a segment table and the location 

of a segment descriptor within said segment 95 
table, said second means also being 
arranged to store m a predetermined other 
portion of said second means, an offset 
address within the segment identified by 
said segment descriptor said offset address lOO 
locating from said segment base the first 
byte of a word within said segment; 

f c) third means respotisive to an address 
syllable element of an instruction beii^ 
executed for addressing one of said |05 
plurality of second means; 

(d) fourth means arranged to store a 
displacement from said address syllable: 

(e) fifth means, communicating with said 
first, second, third and fourth means, HO 
arranged to add the displacement D and 
said base address to said offset; and. 

(0 sixth means responsive to said access 
information element in a selected one of 
said s^ment descriptors, restricting the |I5 
accessability to the segment associated with 
said selected one of said segment 
descriptors in accordance to the level of 
privilege and the type of access specified in 
said access information element, wherein 120 
each group-type of information is 
associated with a predetermined ring 
number indicative of a level of privilege 
said legel of privilege decreasing as the 
associated ring number increases 125 
comprising means for determining the 
maximum effective address ring number 
EAR (i.e. minimum level of privilege) of a 
selected process to access a selected group 
of information, said means comprising: 130 
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(a) first means to store first infonnation 
indicating the maximum ring number RD 
(i.e. mmimum level of privilege) required to 
read infonnaiion from said selected group; 

(b) second means to store second 
informalton indicating the maximum ring 
number WR (i.e. minimum level of 



privilege) required to write infonnation into 
said selected group; 

^ (c) third means to store third 
information indicating the maximum ring 
number MAXR (i.e. minimum level of 
privilege) required to process information 
from said selected group; and, 

(d) fourth means communicatiog with 
&aid first, second and thir<I means, to 
determine the maximum of the contents of 
said first, second and third means whereby 
the effective address ring number EAR is 
generated. 

The present invention, however, both as 
to organization and operation thereof may 
b«i be understood by reference to the 
following description which is given by way 
of example in conjunction with the 
acwmpanying drawings in which: 

Figure I is a block diagram of a computer 
system utilizing the invention. 

Figure 2 is a schematic diagram 
Illustrating the levels of privil^e of the 
invention. 

Figure 3 is a flow diagram of the 
segmented address scheme utilized by the 
invention. 

Figures 4A — 4J are schematic diagrams 
of various novel hardware structures 
utilized in the invention. 

Figure 5 is a schematic diagram of the 
computer ring protection hardware. 

Figure 6 is a schematic diagram of the 
computer segmented addressing hardware 
Figures 7a^7h and Figures &h-«c are 
detailed logic block diagrams of the ring 
protection hardware. 

Figures 9a— 9k is a legend of the symbols 
utihzed m the diagrams of the invention. 

Figure 10 is a schematic diagram of three 
stack segments, one each for nng 0, 1 and 3 
respectively. 

Figure 1 1 A shows the format of the Enter 
Procedure instruction. 

Figure MB shows the format of a 
procedure descriptor. 

Figure I IC shows the format of a gating 
procedure descriptor GPD the first word of 
the segment containing the procedure 
descnpiors. 

Figure 1 1 D shows the format of the Exit 
Procedure instruction. 

Figure 12 is a flow diagram of a portion 
of the Enter Instruction pertaining to ring 
crossing and ring checking. 

Figure 13 schematically shows a segment 
descriptor and the segment containing 
procedure descriptors. 



higures 14—16 are flow diagrams 
showing various operations that are 
performed when the Enter Procedure 
instruction is executed. 

Figure 17 is a flow chart of the Exit 
Instruction. 

As previously discussed the ring concept 
of information protection was originated on 
MULTICS and implemented on various 
Honeywell (Registered Trade Mark) 
Computer Systems. The original MULTICS 
concept required 64 rings or level of 
pnvilege and later implementation had the 
eauivalent of two rings on the Honeywell 
645 and 8 rings on the Honeywell 6000 
(Registered Trade Mark). The embodiment 
described herein groups data and 
procedure segments in the system into a 
h|[erarchy of 4 rings or classes. (Refer to 
Rgurc 2). The 4 rings or privilege levels are 
idcntined by integers 0—3; each ring 
represents a level of privilege in the system 
with level 0 having the most privilege and 
level 3 die leasL Level 0 is known as the 
inner ring and level 3 as the outer ring. The 
basic notion as pteviously discussed is that 
a procedure belonging to an inner ring has 
free access to data in an outer ring. 
Conversely a procedure in an outer ring 
cannot access data in an inner riqg without 
mcurnng a protection violation exception. 
Transfer of control among pnocedures is 
monitored by a protection mechanism such 
that a procedure execution in an outer ring 
cannot directly branch to a procedure in an 
inner ring. This type of control transfer is 
possible only by execution of a special 
;*proccdure.cair' instruction. This 
instruction is protected against mfeuse in a 
number of ways. First, a gating mechanism 
IS avilable to ensure that procedures are 
entered only at planned entry points called 
gates when crossing rings. The segment 
descriptor of such a procedure contains a 
gate bit indicating that procedures in this 
segment can be entered only via gales; 
inrormation regarding these gales is 
contained at the beginning of the segment 
and IS used by the hardware to cause entry 
at a le^l entry-point. The procedure itself 
must then venfy (in a way which, of 
necessity depends on the function of the 
procedure) that it is being legitimately 
called. A further hardward protection 
mechanism is available in the case that the 
calling procedure supplies an address as a 
parameter; it is then possible that the more 
privileged procedure would invalidly 
modify information at this address which 
the less privileged caller could not have 
done, since the ring mechanism would have 
denied him access; an address validation 
instruction is available to avoid this 
possibility. 

An important convention is required J 30 
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here in order to protect the procedure call 
mechanism. This stales that it is not in 
general permissible to use this mechanism 
to call a procedure in a less privileged ring 
5 and return to the more privileged one. This 
restriction is necessary since there is no 
assurance that the procedure in the higher 
ring will, in fact, return; that it will not, 
accidentally or maliciously, destroy 
10 information that the more privileged 
procedure is relying upon; or that it wifl 
not, accidentally or maliciously, violate the 
security of the stack (see GLOSSARY for 
definition). Any of these could lead to 
15 unpredictable results and crash the system. 
The level of privilege are quite 
independent of the process control 
mechanism and there is no notion here of 
privileged and non-privileged processes as 
20 m the IBM system 360 (Registered Trade 
Mark). Instead the same process can 
execute procedures at different levels of 
privilege (rings) subject to the restrictions 
imposed by the ring mechanism. In this 
25 sense the ring mechanism can be viewed as 
a method for subdividing the total address 
space assigned to a process according to 
level of privilege. 
The ring mechanism defined herein 
30 permits the same segment to belong to up 
to 3 different rings at the same time i.e. 
there are 3 ring numbers in each segment 
descriptor, one for each type of possible 
access. Thus the same segment can be in 
35 ring one with respect to "write" access, ring 
two with respect to **cxecutc" access and 
ring three with respect to "read" access. 
One obvious use for this is m the case of a 
procedure segment which can be written 
40 only by ring zero (perhaps the loader) but 
can be executed in ring three. 

Of the four available rings, two are 
allocated to the operating system and two 
to users. Ring zero, the most privileged 
45 ring, is restricted to those operating system 
segments which are critical to the operation 
of the whole system. These segments form 
the hard core whose correctness at ail times 
is vital to avoid disaster. Included would be 
50 the system information base, those 
procedures dealing with the organisation of 
physical memory or the initiation of 
physical data transfer operations, and the 
mechanisms which make the system 
55 function, like the "exception supervisor, 
the scheduler, and the resource 
management". 

Ring one contains a much greater 
volume of operating system segments 
60 whose failure would not lead to catastrophe 
but would allow recovery. Included herein 
arc the language translators* data and 
message management, and job and process 
management. Through the availability of 
65 two rings for the operating system, the 



problem of maintaining system integrity is 
made more tractable, since the smaller hard 
core which is critical is isolated and can be 
most carefully protected. 

Rings two and three are available to the 70 
user to assign according to his requirement. 
Two important possibilities are debugging 
and proprietary packages. Programs being 
debugged may be assigned to ring two while 
checked out programs and data with which 75 
Ihcy work may be in ring two; in this way 
the effect of errors may be localized. 
Proprietary programs may be protected 
from their users by being placed in ring two 
while the latter occupy ring three. In these 80 
and other ways, tlwse two rings may be 
flexibly used in applications. 

The General Rules of the Ring System 

1. A procedure in an inner ring such as 85 
ring 2 on Figure 2 has free access to data in 

an outer ring such as ring 3 and a legal 
access (arrow 201) results. Conversely a 
procedure in an outer ring such as ring 3 
cannot access data in an inner ring such as 90 
ring 2 and an attempt to do so results in an 
illegal access farrow 202). 

2. A procedure in an outer ring such as 
ring 3 can branch to an inner ring such as 
ring I via gate 2D4 which results in a legal 95 
branch 203, but a procedure operating in an 
inner ring such as ring 2 may not branch to 

an outer ring such as ring 3. 

3. Each segment containing data is 
assigned 2 ring values, one for read (RD) 100 
and one for write (WR). These nog values 
specify the maximum ring vbIuc in which a 
procedure may execute when accessing the 
data in either the read or write mode. 

Each time a procedure instruction is 105 
executed, the procedure's ring number 
(effective address ring, EAR) is checked 
against the rin^ numbers assigned to the 
segment containing the referenced data. 
The EAR is the maximum number of 110 
process ring numbers in the processor 
instruction counter (sec later description) 
and all rin^ numbers in base registers and 
data descriptors found in the addressing 
path. Access to the data is granted or 115 
denied based on a comparison of the ring 
numbere. For example, if a system table 
exists in a segment having a maximum 
read/ring value of 3 and a maximum 
write/ring value of I . then a user procedure 120 
executing in ring 3 may read the table but 
may not update the table by writing therein. 

Procedure CaJls and the Stack Mechanism: 

The procedure call and stack mechanism 125 
is an apparatus being described herein 
Procedure calls are used to pass from one 
procedure to another; to allow user 
procedures to employ operating system 
services: and to achieve a modular 130 
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structure within the operating system. A 
procedure call is effected by instructions 
and a hardware recognized entity called a 
Slack. 

5 A stack is a mechanism that accepts, 
stores and allows retrieval of data on a last- 
in-firsl-out basis. Stacks reside in special 
segments called stack segments. A stack 
segment consists of a number of contiguous 
10 parts called stack frames which arc 
dynamically allocated to each procedure. 
The first stack frame is loaded into the low 
end of the segment and succeeding frames 
are loaded after it. The last frame loaded is 
15 considered the top of the stack. A T- 
rcgrstcr 1 14 (sec Figure I) locates the top of 
the stack for the currently active process. A 
virtual T-rcgistcr exists in the process 
control block (PCB) of all other processes 
20 in the system. 

A stack frame consists of three areas: a 
work area in which to store variables, a save 
area in which to save the contents of 
registers, and a communications area in 
25 which to pass parameters between 
procedures. Prior to a procedure call, the 
user must specify those registers he wishes 
saved and he must load into the 
communications area the parameters to be 
30 passed to the called procedure. When the 
call is made, the hardware saves the 
contents of the instruction counter and 
specified base registers to facilitate a letum 
from the called procedure. 
35 Each procedure call creates a stack 
frame within a stack segment and 
subsequent calls create additional Uramcs. 
Each exit from one of these called 
procedures causes a stack frame to be 
40 deleted from the stack. Thus, a history of 
calls is maintained which facilitates orderly 
returns. 

To ensure protection between 
procedures executing in different rings, 

45 different stack segments are used There is 
one stack segment corresponding to each 
protection ring per process. A process 
control block (PCB) contains three slack 
base words (SBW) which point to the start 

50 of the stack segment for rings 0, I and 2 
associated with the process. The ring 3 
stack segment can never be entered by an 
inward call: therefore, its stack starting 
address is not required in the PCB. 

55 The procedure call is used by users who 
have written their programs in a modular 
way to pass from one program module to 
another. It is used by user programs to avail 
themselves of operating system services. It 

60 is used by the operatmg system itself to 
achieve a responsive modular structure. 
The procedure call as is described in the 
above referenced patent ai^plication is 
effected by hardware instructions and the 

65 hardware recognizable stack- mechanism. 



The main requirements on a procedure 
call mechanism are: 

t. Check the caller's right to call the 
caller; 

2. Save the status of the caller which 70 
includes saving registers, instruction 
counter (for return), and other status bits; 

3. Allow for the passing of parameten; 

4. Determine valtd entry pmnt for die 
called procedure: 75 

5. Make any necessary adjustmenu in 
the addressing mechanism; 

6. Enter the new procedure. 

When the called procedure terminates or 
exits, whatever was done in the call must be ^ 
undone so that the status of the calling 
procedure is restored to what it was before 
the call. 

As a preliminary to making a procedure 
call, the instruction PREPARE STACK is 85 
executed. This instruction causes those 
registers specified by the pro^ammer in 
the instruction to be saved in the stack. It 
causes the status le^ster (see Figure I) to 
be saved, and provides the programmer 90 
with a pmnter to parameter space which he 
may now load with information to be 
pased to the called procedure. 

Another instruction ENTER 
PROCEDURE p<aTnhs the procedure call 95 
via the following steps corresponding to the 
requirement specified above: 

1. Ring checking--the callcr*s ring is 
checked to make sure that tins ring may call 

the new procedure; the call must be to a 100 
smaller or equal ring number; and if ring 
crossing does occur the new procedure 
must be gated through agate 204 of Figure 

2. The new ring number will then be that 

of the called procedure. JQ5 
Z The instruction counter is saved; 

3. Base regbtcr 0 (see Figure 1) is made 
to point effectively to the parameters being 
passed; 

4. The entry-point of the called HO 
procedure is obtained from a procedure 
descriptor whose address is con- 
tained in the ENTER PROCEDURE 
INSTRUCTION; 

5. A point to linkage information is 115 
loaded in base register number 7. 

6. TTic new procedure is entered by 
loading the new ring number and the 
address of the entry-pomt in the instruction 
counter. f20 

The remainder of the current stack- 
frame is also available to the called 
procedure for storage of local variables. 

When the called procedure wishes to 
return, it executes the instruction EXIT 125 
PROCEDURE. The registers and the 
instruction counter are then restored from 
their saving areas in the stack. 

Referring to Figure I there is shown a 
block diagram and a computer hardware 130 
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system utilizing the invention. A main 
memory 101 <s comprised of four modules 
of metal-oxide semi-conductor (MOS) 
memory. The four memory modules 1—4 

5 are interfaced to the central processor unit 
100 via the main store sequencer 102. The 
four main memory modules 1 — 4 are also 
interfaced to the peripheral subsystem such 
as magnetic tape units and disk drive units 

10 (not shown) via the main store sequencer 
1Q2 and the IOC (not shown). The main 
store sequencer gives the capability of 
providing access to and control of all four 
memory modules. 

15 Operations of the CPU arc controlled by 
a read only memory ROM, herein called 
the control store unit 1 10. 

The control store interface adapter 109 
communicates with the control store unit 

20 no, the data mangagemcnt unit 106, the 
address control unit 107 and the arithmetic 
logic unit 112 for directing the operation of 
the control store memory. Tnc control 
store interface adapter 109 includes logic 

25 for control store address modification, 
testing, error checking, and hardware 
address generation. Hardware address 
generation is utilized generally for 
developing the starting address of error 

10 sequencers or for the initialization 
sequence. 

The buffer store memory 104 is utilized 
to store the most frequently used or most 
recently used information that is being 

35 processed by the CPU. 

The data management unit 106 provides 
the interface between the CPU 100 and 
main memory 101 and/or buffer store 
memory 104. During a memory read 

40 operation, information may be retrieved 
from main memory or buffer store memory. 
It is the res}>onsibility of the data 
management unit to recognize which unit 
contains the information and strobe the 

45 information into the CPU registers at the 
proper time. The data management unit 
also performs the -masking during partial 
write operations. 

The instruction fetch unit 108 which 

50 interfaces with the data management unit 
106, the address control unit 107, the 
arithmetic and logic unit 112 and the 
control store unit 1 10 is responsible for 
keeping the CPU 100 supplied with 

55 instructions. 

The address control unit 107 
communicates with the instruction fetch 
unit 108, the buffer store directory 105, the 
main store sequencer 102, the arithmetic 

60 logic unit 112, the data management unit 
l(>6, and the control store unit 110 via the 
control store interface adapter 109. The 
address control unit 107 is responsible for 
all address development in the CPU. 

65 Interfacing with the address control unit 



107, the instruction fetch unit 108 and the 
control store unit 1 10 is the arithmetic logic 
unit 112 which is the primary work area of 
the CPU 100. Its primary function is to 
perform the arithmetic operations and data 7q 
manipulations required of the CPU. 

Associated with the arithmetic loeic unh 
112 and (he control store unit 110 is the 
local store unit 111 which typically is 
comprised of a 256-location (32 bits per 75 
location) solid state memory and the 
selection and read/write logic for the 
memory. The local store memory 111 is 
used to store CPU control information and 
maintain ability information. In addition. 80 
the local store memory 111 contains 
working locations which arc primariiy used 
for temporary storage of operands and 
partial results during data manipulation. 

The centra] processing unit 100 typically 85 
contains 8 base registers (BR) 116 which 
are used in the process of address 
computation to define a segment number, 
an onset, and a ring number. The offset is a 
pointer within the segment and the rmg 90 
number is used in the address valklity 
calculation to determine access rights for 
a particular reference to a segment 

The instruction counter 118 
communicates with the main memory local 95 
register (MLR) 103 and with the instruction 
fetch unit 108, and is a 32-bit register which 
contains the address of the next instruction, 
and the current ring number of the process 
(PRN). Also contained in the central 100 
processing unit is a T register 114 which 
also interfaces with the instruction fetch 
unit 108 and is typically a 32-bit register 
containing a segment number and a 16-bit 
or 22-bit positive integer defining the 105 
relative address of the top of the procedure 
stack. The status register 115 is an 8-bh 
re^ster in the CPU which among other 
things contains the last ring number — i.e. 
the previous ^ue of the process ring 110 
number (PRN). 

The main memory 101 is addressed bv 
the memory address register (MAR) lly, 
and the inU^rmation addressee by (MAR) 
1 1 9 is fetched and temporarily stored in the 1 1 5 
memory local register (MLR) 103. 
• Referring now to Figure 3 there is shown 
a flow diagram of the general rules for 
segmented address development shown in 
detail in the above mentioned copending 120 
patent application No. 21630/74, Serial No. 
1,465,344. Figure 3 when read in 
conjunction with the above referenced 
patent application is self-explanatory. 
There is however one major difference 125 
between the address development as shown 
on Figure 3 lo that of the above mentioned 
application and that is that in the address 
development of Figure 3 of the instant 
application as many as 16 levels of 130 
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indirection may be utilized in the address 
development whereas in the above 
referenced application the levels of 
indirection were limited to a maximum of 
5 tvvo. This of course is a matter of choice 
with tJie designer and in no way alters the 
high level inventive concept. 

Referring now to Figures 4A — 4J, 
lA .^"^"^^ show the fonnat of the 

I V instruction counter designated by reference 
numeral 118 on Figure 1. The instruction 
counter (IC) 1 18 is a 32-bit register which 
contains the address of the next instruction, 
and the current ring number of the process 
1 5 (PRN). Referring specifically to Figures 4A 
and 4B the TAG is a 2.bit field wWch 
corresponds to the TAG field of data 
descriptors shown and described in the 
above reference application entitled 
2U ^Segmented Address Development**. PRN 
IS a 2-bit field which defines Che current ring 
number of the process to be used In 
determination of access rights to main 
storage. SEG is typically either a 12-bit or a 
25 6-bit field which defines the segment 
number where instructions are being 
executed. The OFFSET is typically either a 
16-bit or a 22^it field which defines the 
address of the instruction within the 
30 segment SEG. 

Figures 4C— 4F show the format of 
segment descriptors with Figures 4C and 
40 showing the first and second word of a 
direct segment descriptor whereas Figures 
35 4E and 4F show the first and second word 
of an indirect segment descriptor. Segment 
descriptors are two words long each word 
comprised of 32 bits. Referring to figures 
4C— 4D which show the first and second 
40 word respectively of a direct segment 
descriptor, P is a presence bit If P equals 
one, the segment defined by the segment 
descriptor is present in main storage. If P 
equals zero, the segment is not present and 
45 a reference to the segment descriptor 
causes a missing segment exception. All 
other fields in a segment descriptor have 
meaning only if P equals one. A is the 
availability bit. If A equals zero, the 
50 segment is unavailable (or locked) and a 
reference to the segment causes an 
unavailable segment exception. If A equals 
one, the segment is available (or unloclced, 
and can be accessed). I is the indirection 
55 bit. If 1 equals zero, the segment descriptor 
IS direct. If I equals one, the segment 
descnptor is indirect. U is the used bit. If U 
equals zero, the segment has not been 
accessed. If U equals one, the segment has 
00 been accessed. U is set equal to one by any 
segment access. W is the written biL If W 
equals zero, no write operation has been 
pcrfomied on the segment. If W equals one. 
a WRITE operation has been performed on 
65 the segment, W is set to one by any WRITE 
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operation. GS is the gadng-seraaphore bits. 
When the procedure call mechanism 
referred to above requires that the segment 
be a gating segment or when the process 
communicaUon mechanism (not shown) jq 
requires that the segment be a segment 
descriptor segment (SD) the GS bits are 
examined. To be a valid gating segment, the 
GS bits must have the value 10. To be a 
valid SD segment, the GS bhs must have 75 
the value 01. If a gating or SD segment is 
not required, these bits arc ignored. The 
BASE h a 24-bit field which defines the 
absolute address in quadruple words of the 
first byte of the segment. This field is an 
multiplied by 16 to compute the byte 
address of the segment base. The SIZE is a 
field which is usad to compute the segment 
size. If the segment table number, 
subsequently referred to as STN, is greater 
or equal to zero but less than or equal to six, 
the SIZE field is 18 bhs long. The STN is a 
field indicating the segment table entry STE 
for selecting a segment descriittor. If the 
STN is greater than or equal to 8 but less on 
than or equal to 15. the S^ field is 12 bits 
long. The number of bytes in the s^ment is 
equal to 16 tiroes (SI2E+I). If SIZE equals 
zero, the segment size is 16 bytes. RD is the 
read access field. This is a 2-bit field wfafch 05 
specifies the maximum EAR (effective 
address ring number) for which a read 
operation is permitted on the segment (A 
procedure is always permitted to read its 
own segment if EAR equals PRN). WR is im 
the write access field. This is a 2-hit field 
which specifies the maximum EAR for 
which a write operation is permitted on the 
segment and the minimum PRN at which 
the segment may be executed. MAXR is 105 
the maximum ring number. This is a 2-bit 
field which specifies the maximum PRN at 
which the segment may be executed. WP is 
the write permission bit. This bit indicates 
whether a WRITE operation may be 110 
performed on the segment. If WP equals 
zero, no WRITE operation may be 
performed. If WP equals one, a WRITE 
operation may be performed if EAR is 
greater than or equal to zero but less than 1 15 
or e<iual to WR, EP is the execute 
permission bit. This bit specifks whether 
the segment may be executed. If EP equals 
zero, the segment may not be exectUed. If 
EP equals one, the segment may be |20 
executed at any PRN for which PRN is 
greater than or equal to WR but less than or 
equal to MAXR. MBZ is a special field 
which must be set to zero by software when 
the field is created, before its initial use by 125 
hardware. 

Referring to Figures 4E — 4F the 
definitions of the various fields are similar 
as above however word 0 includes a 
LOCATION field and word I includes a I30 
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RSU field. The LOCATION field is a 28-bit 
field ivhich defines the absolute address of a 
direct segment descriptor. The value in the 
LOCATION field must be a mulipic of 8. 
5 The RSU field is a special field which is 
reserved for software use. 

Figures 4G — 4H show the format of the 
base registere (BR) which are used in the 
process of address computation to define a 

10 segment ubie number, a se^ent table 
entry number, an offset, and a ring number. 
There arc typically 8 base registers as 
shown by reference numeral 1 16 on Figure 
1. A base register is specified or identified 

15 as base register 0 through 7. The size of a 
base register is 32 biu long. The base 
register format of Figure AG is utilized for 
small segment i.e. where STN is greater or 
equal to 8 but less than or equal to 15, 

20 whereas the format of base register of 
Figiu*e 4H is utilized for large segments i.e. 
STN is greater or equaJ to zero but less than 
or equal to six. Referring to Figures 
4G--4H, TAG is a 2-bil field which 

25 corresponds to the TAG of a data 
descriptor referenced previously. RING is 
a 2-bit field which contains the nng number 
associated with the segmented address for 
protection purposes. S£G is a field 

30 previously referred to, which identifies a 
segment described in a segment table. STN 
is the segment table number, and STl: is the 
segment table entry number. OFFSET is a 
16-^>it field or a 2/-bit field depending on 

35 segment table number, which defines a 
positive integer. The OFFSET is used in the 
process of address development as a 
pointer within a segment. 

Referring to Figures 41 — 4J there is 

40 shown the format of the T-registcr. The T- 
register is a 32-bit register containing a 
segment number and a 16-bit or 22-bit 
positive integer defining the relative 
address of the top of the procedure stack 

45 previously mentioned. The T-rcgistcr is 
shown by reference numeral 1 14 on Figure 
I , The various fields of the T-rcgistcr have 
the same definition as described above. 
Referring now to Figures 3 and 4A — 4J a 

50 more defined description of absolute 
address calculation and access checking is 
made. In general absolute address 
calculation consists of fetching a segment 
descriptor specified by STN and STE and 

55 using the segment descriptors in four ways: 
access checking, computation of tne 
absolute address, bound checking, and 
updating (U and W flags). As described in 
copending patent application No. 21630/74, 

60 (Serial No. 1.465,344) the absolute address 
may be direct or indirect and is derived by 
first deriving an effective address from 
STN, STE, and SRA (segment relative 
address). STN is extracted from bits 4 

65 through 8 of the base register BR specified 



in the address syllable of an instruction. If 
STN is 7, an out of segment table word 
array exception is generated. STE is 
extracted from the base register specified in 
the address syllable. If STN 4:4 (i.e., 70 
beginning at bit 4 and including the next 4 
bits) is greater than or equal to zero or less 
than or equal to six, STE is in a base regbtcr 
bits 8 and 9, If STN 4:4 (i.e. 4 bits beginning 
at bit 4) is greater than or equal to 8 but less 75 
than or equal to 1 5, STE is in a base register 
BR bits 8 through 15. The segment relative 
address SRA for direct addressing is 
computed by adding the displacement in 
the address syllable; the offset of the base 80 
register BR; and the 32-bit contents of an 
index register, if specified in the address 
syllable. The .sum of these three quantities 
is a 32-bit unsigned binary integer which 
must be less than the segment size S5 
appropriate to the segment STN, STE. 

Indirect addressing is developed by 
fetching a data descriptor and developing 
an address from that descriptor. The 
effective address of the daU descriptor is 90 
computed as in the direct addressing case 
with the ^ception that the index register 
contents are not used. In developing the 
address from the data descriptor the 
effective address may be computed by an 95 
indirection to segment (TS descriptor and 
an indirection to base ITBB desc riptor . If 
the descriptor is ITS the STN and STE are 
extracted from the descriptor in the same 
manner as from a l>asc register. SRA is 100 
computed by adding the displacement in 
the descriptor and the contents of an index 
register as specified in the syllable. If the 
d<^riptor is an fTBB descriptor then STN 
and STE arc extracted from the base 105 
register specified in the BBR field (i.e. the 
base register implied by ITBB descriptor) 
of the descriptor as in direct addressing. 
SRA is computed by adding the 
displacement in the descriptor, the onset of 1 10 
the base register, and the contents of an 
index register is specified in the address 
syllable. 

As shown on Figure 3 the indirection 
process may be extended up to 16 levels. 1 15 

Every effective address contains 
protection information which is computed 
in address development and checks for 
access rights by the ring protection 
hardware of the absolute address 120 
calculation mechanism. The effective 
address contains protection information in 
the form • of an effective address ring 
number EAR (see Figures 2J and 2K. of 
above application No. 2163Qr74, (Serial No. 125 
1,465,344). The EAR is computed from the 
base register ring number BRN and from 
the current process ring number PRN by 
taking the maximum ring number. In 
developing the EAR for indirect addressing |30 
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a somewhat more tedious but essentially 
similar procedure as indirect addressing is 
used. In indirect addressing the EAR for 
extraction of the first descriptor (EAR 1) is 
once again the maximum of the ring 
number from the base register specified in 
the address syllable and the current process 
nng number PRN in the instmction counter 
US of Figure 1 and stored in 00 register 512 
of Rgurc 5. The EAR for extraction of the 
second descriptor (EAR 2), of multiple 
level indirection is the maximum of 
a. EAR I; 

^ T^c ring number in the first descriptor 
if mdircction is indirection to segment; 

c. The ring number from a base register 
1 16 utilized as a data base register BBR if 
the first descriptor is an indirection to 
segment descriptor ITBB. 

The EAR for extraction of the data of 
multiple level indinection is the maximum 
of: 

a. EAR 2: 

b. The ring number in the second 
descriptor if it is an indirection segment 
descriptor ITS; 

c. The rin^ number in one of the base 
registers utilized as a dau base register 
BBR if the second descriptor is an 
indirection to base descriptor ITBB. 

Referring now to Figures 5 and 6, the 
transfers and manipulation of the various 
type ring numbers wili be described 
at the system level. Detailed logic block 
diagrams for effecting the transfers and 
operations of Figure 5 will be later 
described. Referring first to Figure 6 an 
associative memory 600 is utOized in 
segmented address development. The 
associative memory 600 comprises 
essentially a UAS associator 609 which has 
circuitry which includes associative 
memory cells, bit sense amplifiers and 
drivers, and word sense amplifieis and 
drivers (not shown). A word or any part of a 
word contained in UAS associator 609 may 
be read, compared to another word with a 
match or no match signal generated 
, thereby, or be written cither in whole or in 
a selected part of the associator 609. For 
example, US register 607 may contain a 
segment number which may also be in the 
associative memory 600. A comparison is 
made with UAS associator 609 and if a 
^'^tch is found a "hit** results. The match 
or "hit" signal is provided to encoder 610. 
The function of encoder 610 is to transform 
the "hit" signal on one of the match lines to 
a 4 bit address. Encoder 610 provides this 4 
bit address to UAB associator buffer 61 1 so 
that the information contained in that 
particular location of UAB associator 
buffer 611 is selected. Information in UAB 
associator buffer 61 1 may be transferred to 
UV register 613 for temporary storage or 
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for transfer to QA or QB bus 614 and 615 
respectively. By thus locatinjg a prestored 
SOTnent number of the associative memory 
600 (which may have been placed there 
after a generation of an absolute address) 
regeneration of the same address is not 
nece^ary. In the drawing of Figure 6, UAB 
associator buffer 61 1 is shown as storing a 
first and second word of a segment 
descriptor; however other types of 
information may just as well be stored 
therein. This buffer 61 1 provides a function 
similar to that of buffer 104 in the more 
generalised diagram of Figure 1. 

As mentioned supra the development of 
an absolute address of an operand from an 
effective address is disclosed in patent 
application No. 21630/74, (Seriau No. 
K465.344). Briefly and with reference to 
Figure 6 any of 8 base niters 602 are 
addressed via UG and UH roisters 603 and 
604 respectively which contain base register 
addresses from an instruction address 
syllable or base register specified by the 
instruction formats. The base i^gister 602 
contain such information as TAG, base 
register ring number BRN, segment table 
n umber S TN, s^ment table entry STE and 
OFFSET as shown or contained by base 
. registers I and 2 of the group of base 
registers 602. Writing into the base registers 
is performed under micro-op control by 
UWB logic 601, For example it is shown 
that information from the UM r^^ster 502 
of Figure 5 may be written into bit positions 
(2, 3) of a selected base register; also 
information from the QA bus may be 
written into the base registers and 
provisions are made to clear a selected base 
register i.e. write all zeroes. Reacting out of 
anv of the base registers is performed by 
UBR logic 605. In general the UBR logic 
605 permits the appropriate base register to 
be strobed out onto bus QA or QB, or mto 
UN register 608. Note that UN register 608 
holds bits 8 through 31 of the base registers 
which is the OFFSET part of the segmented 
address. Moreover UBR logic 60S when 
addressed by an address contained in 
instruction buffer IB (not shown) reads out 
the segment number SEG (which is 
comprised of STN and STE) into US 
roister 607 via UBS transfer logic 606. The 
comparison of the segment number SEG in 
US register 607 with the associative 
memory 600 may then be performed as 
previously described. It will be noted that 
bits (4—1 5) of QA bus 6 14 may also be read 
into or from US register 607. Similariy bits 
(8 — 31) from QA bus 614 may read into UN 
register 608. Also bits (9-^11) of the US 
register 607 may be read into QA bus 6 14 as 
denoted by US (9—1 1) arrow (the arrows 
into various register and/or logic circuitry 
denote the source of data and that followed 130 
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by a number denote the bit numbers of that UO register is used to save address syllable 
^^^K ■ ^ ^ effecfivc address ring number EAR in the 

Referring now to Figures 5 and 6, a 2-bit event the address syllable 2 is being utilized 
UP register 501 stores the current process to extract EAR 2. 

5 ring number PRN. The current process ring Two-bit UV register 503, and 2-bit UW 70 
numbers PRN is obtained from bits 2 and 3 register 504 is utilized mainly as storage for 
of the instruction counter (1 18 or Figure 1) various ring numbers that are obtained 
via bits IC (2«— 3) of the QA bus 614 of from the outside of the ring checking 
Figure 6, Bits IC (2—3) of QA bus 614 are hardware of Figure 5 and transferred or 

10 transferred to 2-bit UV register 503 under processed to other parts of the ring 75 
control of a micro-operation UV9QA0. The checking hardware. For example the base 
micro-operations are obtained from micro- register ring number BRN is transferred 
instructions in the control store unit 1 10. from bit positions 2 and 3 of UBS transfer 
(On Figure 5 the dot surrounded by a circle logic 606 to UV register 503 under control 

15 indicates a micro-operation and the first of the micro-operation UVFBSO; the go 
two letters of the name of the micro- maximum ring number MAX R of won! 2 of 
operation indicate the destination of the the segment descriptor (also shown stored 
data to be transferred; the fourth and fifth in bits 36 and 37 of UAB associator buffer 

letters indicate the source of the data 611) is transferred from UAB buffer 611 to 

20 transferred; the third character indicates UV register 503 under control of the micro- 85 

whether a full or partial transfer is made operation UVFABI; also bits 34 and 35 of 
mth F indicating a full transfer while the UAB buffer 61! which is the write ring 

sixth character indicates whether the signal number WR is transferred to UV register 

doing the transferring is high or low with 503 under control of micro-operation 

25 even numbers indicating a low signul and UVFABO. UW register 504 has similar 90 

odd numbers indicating a high signal. As an transfers of other ring numbers from 

example of the use of this convention bits 2 various parts of the system. For example 

and 3 on QA bus indicating the tail of the bits 34 and 35 which are the write ruig 

arrow QA (2» 3) indicate PRN is the PRN number WR of UAB buffer 6 1 1 may also be 

30 process ring number that is being transferred to UW r<^ster 504 under 95 

transferred under control of the micro-op control of microH>pcration UWFABI; bits 

UV9QA0 which says the transfer is made to 32 and 33, the read RD rii^ number <^ 

register UV, is a partial transfer of the bos UAB buffer 61 1 may also be transfened to 

QA, and the source of the data is the bus UW register 504 under control of micm- 

35 QA and is an unconditional transfer as op UWFABO; also bits 0 and I of QA bus l(X> 

indicated by the sixth character being 0. 614 may be transferred to UW register 504 

Transfer to UV register from QA bus source under control of micro*operatlon 

is unconditional. This 0 will be the UW9QA0. Note also several transfer paths 

corresponding seventh character in the of UW register 504 into UV register 503 

40 logic file name of the subcommand under control of the micro-operation |05 

UV9QAlft. Once the process ring number UV9UW0: the transfer path of Uv register 

PRN is transferred from the QA bus 614 to 503 into UM register 502 under control of 

the UV register 503 another transfer takes micro-operation UM9UV0; the transfer 

place under control of the micro-operation path of UM register 502 into UP register 

45 UM9UV0 from UV register 503 to UM 501 under control of the micro-operation no 

register 502. Finally another transfer takes UP9UM0; the transfer path of UP register 

piace from UM register 502 to UP register 501 into UM register 502 under control of 

501 under control of a micro-operation micro-operation UM9UP0; the transfer 

UP9UM0. path of UM register 502 into UO register 

50 Two bit register UM 502 is utilized to 512 under control of micro-operation ||5 

generate the effective address ring number UO9UM0; and finally the transfer path of 

EAR during ITS and ITBB (Le. indirection UO register 512 into UM register 505 under 

to segment and indirection to base), control of the micro«operation UM9UO0. 
(EAR=MAX (BRN, PRN, DRNyBBR Briefly therefore UP register 501 holds 

55 (BRN) etc.) address formation for address the current process ring number PRN; UM 120 

syllable I and address syllabic 2 type register 502 and UO register 512 are utilized 

instruction format. The £AR is generated for transfer operations and also to generate 

according to the rules previously the EAR; UV re^er 503 may shore for 

enunciated by utilizing one or more tests various purposes and at different times the 

60 shown in block 5 10 and the maximum of the current process ring number PRN, the base 1 25 

rin^ number is obtained and stored in UM register ring number BRN, the majumum 

register 502 which stores the effective ring number MAXR, the write ring number 

address ring number EAR (detailed logic or WR, or the read ring number RD. UW 

making ihe comparisons of block 510 are register 504 may at various times hold the 

65 later shown and described in detail). The read ring number RD« the write ring 130 



12 



1,483,282 



\2 



number WR, and bits 0 and I of bus QA. 
UMR 505 is logic, the details of which are 
shown on Figure 8d. which compares the 
contents of registers UM and UV and 
5 produces the greater of the two values in 
the registers and this value is stored in UM 
register 502 under micro-operation control 
UMFMRO. This b one way of generating 
the effective address ring number EAR. 

10 UMR logic 505 may also produce the 
greater value of the contents of register UP 
or of bits 2 and 3 of UBS logic 606. This is 
another method and/or additional step In 
generating the effective address ring 

15 number EAR. UMR logic 505 is also 
utilized to determine whether or not a write 
violation has occurred by transferring a 
write ring number WR into UV register 503 
and then comparing the contents of the UM 

20 register 502 (holding EAR) with the 
contents of UV register 503 in order to 
determine which one has the greater 
contents. Since UM register 502 stores die 
effective address ring number EAR a 

25 comparison of the UM register and the UV 
register will Indicate whether EAR is 
greater than WR or vice versa. If WP (i.e, 
write permission bit in the segment 
deiK:riptor} is equal to I and if EAR lies in 

30 the range of O^EARsWR then a write 
operation may be performed into the 
segment. Note that UMR logic 505 may 
have inputs directly or indin^y from m 
registers 501 — 504, from other logic 506, 

35 507 and also from UBS logic 606. 

UWV l<^ic 506 corresponds to the detail 
logic of ngure 8a. UwV logic 506 has 
inputs directly or indirectly from registers 
501—504 and from logic 505, 507 

40 respectively and generates an exectite 
violation signal when a comparison of UW, 
UM and UV registers 504, 502, and 503 
respectively indicates that the statements 
that the maximum ring number MAXR is 

45 greater or equal to the effective address 
ring number EAR, and that EAR is greater 
or equal to the write ring number WR are 
not true i.e. in order for a procedure to be 
able to execute in a given segment 

50 'indicated by the effective address the 
maximum nng number MAXR roust be 
greater or equal to the effective address 
ring number and the effective address ring 
number EAR must be equal or greater than 

55 the write ring number WR. UWV logic 506 
also performs tests shown in block 510. 
Indications may be given that the contents 
of UW register is less than or equal to the 
contents of the UV register; the contents of 

60 the UM register is greater than or equal to 
the contents of the UV register; the 
contents of the UV register is equal to the 
contents of the UM register; the contents of 
the UV register is greater or equal to the 

65 contents of the UM register; and the 



contents of the UM register is greater than 
the contents of the UW register. Of course 
when performing these tests different 
values of ring numbers may occupy the 
registers. 70 

UEP logic 507 corresponds to the detail 
logic of Rgure 8b. UEP logic 507 in 
combination with UWV logic 506 generates 
the read violation exception. However the 
read violation exception may be overridden 75 
If the effective address ring number EAR 
equals the current process ring number 
PRN, since a procedure is always permitted 
to read its own s^ment, and if the segment 
number of the procedure segment 80 
descriptor (not shown herein) and the 
segment number of the address syllable 
utilized in generation of the effective 
address are the same. 

To illustrate the overriding of the read 85 
violation signal assume that the effective 
address read number EAR is greater than 
the read number RD vMch would generate 
a read violation high signal which would be 
applied as one input of AND gate 522. 90 
However the read violation exception 
signal may not be guierated even thoug}i 
there is a read violation signal if ue 
following two conditions exists: 

1. The effective address ring number 95 
EAR is equal to the process ring number 
PRN: i.e. the contents of register UM is 
equal to the contents of the r<^jistcr UP; 
and, 

2. The segment number contained in the 100 
address syllable of the segment in which a 
procedure desires to read is equal to the 
segment numbo- of the procedure s^^mrat 
descrisUn- (not shown) of the current 
procedure in execution and this is indicated 105 
by setting a bit called a P bit and located as 

the thirteenth bit of UE register 650. (U£ 
register 650 is a store for the contents of 
UAS associator 609 Yfhcn a '*hit" has 
resulted by a comparison of the contents of 1 10 
US register 607). Since this example 
assumes that EAR equals PRN, UEP logic 
507 will apply a high signal to AND gate 520 
as one input* and since it is also assumed 
that the segment number SEG of the {|5 
address syllable of the segment being 
addressed is equal to the segment number 
SEG of the procedure segment descriptor 
(not shown) of the currently executing 
procedure, then the P bit of the procedure 120 
segment descriptor will be set and hence 
the other input applied to AND gate 520 
will be high thus enabling AND gate 520; a 
high signal is therefore applied to the input 
of inverter 521 resulting in a low signal at |25 
the output of inverter 521 which low signal 
is then applied as another input of AND 
gate 522. Since there b a low signal to AND 
gate 522 no read violation exception signal 
can be generated by amplifier 523 even if 130 
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the third input signal applied to AND gate 
522 is high. 

To illustrate how a read violation signal is 
generated and not overridden, assume that 
5 the output of UEP logic 507 indicates that 
the contents of UM register is not equal to 
the contents of UP register. Then that input 
to AND gate 520 would be low and hence 
AND gate 520 would not be enabled and its 

10 output would be low and would be applied 
to the input of inverter 52 L Since the input 
of inverter 521 is low its output would be 
high which would be applied as one input of 
AND gate 522. If also the effective address 

15 ring number EAR is greater than the read 
ring number RD (i.e. contents of UM 
register is greater than contents of UW 
register) that signal would be high and 
would be also applied to another input of 

20 AND gate 522. AND gale 522 has still a 
third input which must also be high in order 
to enable AND gate 522. This third input is 
high when AND gate 526 is enabled. Since 
AND gate 526 has one Input terminal which 

25 is high when the 00 terminal of URVl F flop 
524 is low, AND gate 526 is enabled by 
applying the micro-operation read 
violation interrogate signal AJERVA to 
one input terminal of AND gate 526 while 

30 the 00 terminal of URVIF flop 524 is low. 
Thus AND gate 522 will have all input 
terminals high, generating the read 
violation exception signal. 
The execute violation exception is 

35 generated in two ways, ft vras seen earlier 
that an execute violation signal results 
when UWV logic 506 indicates that the 
inequalities WR is less than or equal to 
EAR, and EAR is less than or equal to 

40 MAXR arc not true. This high execute 
violation signal is applied to a one-legged 
AND gate 5.50 which in turn is applied to 
the input terminal of two-legged AND gate 
553 via amplifier 552. When an execute 

45 violation interrogate micro-operation signal 
AJEEVA is applied as another input of two- 
legged AND gate 553, this gate is enabled 
which in turn generates the execute 
violation exception Nna amplifier 554. The 

50 other method by which the execute 
violation exception is generated by the 
execute violation hardware 51 1 is when the 
execute permission bit £P is not set. When 
this conaition is true it is indicated by the 

55 seventh bit of UY register 613 being high; 
this bit is then applied lo the input terminal 
of one-legged AND gate 551 which is 
applied as a high signal to one input 
terminal of AND gate 553 via amplifier 552. 

60 When the execute violation interrogate 
micro-operation signal AJEEVA goes high, 
AND gate 553 is enabled and generates an 
execute violation exception via amplifier 
554. 

65 The write violation exception is also 



generated in two ways. It was seen 
previously how the UMR logic 505 
generates a write violation signal when 
EAR is greater than WR. This write 
violation signal is applied to one input 70 
termmal of AND gate 545. AND gate 545 is 
enabled when its second input terminal 
goes high thtis generating a write violation 
exception through amplifier 547. The 
second input terminal of AND gate 545 75 
goes high when AND eate 542 is enabled* 
AND gate 542 is enabled when the input 
signals applied to its input terminals are 
high. One input signal is high when UWV IF 
flop 541 is low which in turn applies a low 80 
sienal to the input terminal of inverter 543 
which in turn applies a high signal to one 
input terminal of AND gate 542; the other 
input signal is high when the write violation 
interrogate micro-op signal AJEWVA is 85 
high and this happens wheii it is desired to 
interrogate a procedure for the write 
violation exception. (Rip-flops URVIF, 
URNl F, aiKl UWVl F arc set low when any 
interrupts or softward occurs). (UWV2F, 90 
URV2F. and URN2F flip-flops are utHized 
to store back-up excess checking - 
information for ring checking). The other 
method for generating a wnte WolaUon 
exception is when the write permission bit 95 
WP is not set. This condition is indicated by 
bit 6 of UV register 613 being high. When 
this condition exists and the hi^ signai (i.e. 
the sixth bit of UV register) is apfrfi^ as one 
input of AND gate 546 and the interrogate 100 
signal 

AJEWVA is high and applied as 
another input of AND gate 546, then AND 
gate 546 is cabled and a write violation 
exception occurs via amplifier 547. 105 

Lc^c circuitry 591 comprised of flip- 
flops 532 and 533 in conjunction with 
amplifier 530 and AND gate 531 and 
inverter 530A permit the formation in 
register UM 502 of the maximum value of 1 10 
ring number (i.e. EAR) under control of a 
splatter instruction subcommand (not 
described herein) from the instruction fetch 
unit IFU. Assumina URNl F flip-flop 532 is 
set to logical 0 whereas URIn2F ftip-Hop 1 15 
533 is set to logical 1, then during the 
execution of the splatter subcommand, 
input terminal 531A of AND gate 531 will 
be high; therefore if flip-flop 532 is low 
(logical 0) then the signal will be inverted by 1 20 
inverter 530A and AND gate 53 i will be 
enabled. Hence the maximum value of the 
contents of UP register 501 or bits 2 and 3 
of logic vector UBS 606 will be strobed into 
UM register 502. Conversely if flip-flop 532 |25 
is a logical U then the contents of UM 
register 502 is not changed via the above 
mentioned sources and the EAR derived in 
UM register 502 via the addressing process 
of indirection is the one utilized. Flip-flop 130 
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533 is the back-up store for the EAR of 
addrcss-syiJable 2 when utilized. 

Referring now to Figures 7 and 8 and 
Figure 5 there is a correspondence wherein 
5 the detailed io^c for haniware in Figure 5 
is shown in Figures 7 and 8 as follows: 
Figure 7a and lAV register 504; Rgure 7b 
and UV register 503; jKigure 7c and block 
590: Fffiurc 7d and block 591 ; Figure 7c and 
10 block 592: Figure 7f and UP register 501; 
Figure 7g and UO register 512; Figure 7h 
and UM register 502; Figure 8a and UWV 
Ic^ic 506; Figure 8b and UEP logic 507; and 
Figure 8d and UMR logic 505. 
15 Referring to Figure 7a, the UW register 
504 is comprised of two flip-flops 715a and 
720a respectively, each flip-flop capable of 
holding one bit of information of the UW 
register. Coupled to flip-flop 715a are 4 
20 AND gates 7Ua— 714a which are OR'ed 
together, with each gate (except gate 713a} 
having two input terminals, and with at 
least one signal applied to each input 
terminal. AND gate 7 1 4a has one of its 
25 input tenninals coupled to the set terminal 
OWOOOIO of the flip-flop 715a. Fto-flop 
71 5a is also coupled to the terminal 1127 for 
receiving from a clock a timing signal called 
a PDA signal. Flip-flop 72C& coupled to 
30 AND gates 716a— 7 1 9a which are OR'ed 
together. One input terminal of AND gate 
716a is coupled to an input terminal ci 
AND gate 7 11 a; one input terminal of AND 
gate 717a is coupled to one input tenninal 
35 of AND gate 7 1 2a and one input tenninal of 
AND gate 719a is coupled to an input 
terminal of AND gate 714a, whereas the 
other input terminal of AND gate 719a is 
coupled to the set tenninal UWOOl 10 of the 
40 flip-flop 720a. Flip-flop 720a is also coupiod 
to the H27 tenninal for receiving TOA 
pulses. 

AND gates 701a— 704a arc OR*cd 
together each having their output terminal 

45 coupled to the input terminal of inverter 
705a. AND gate 706a is coupled to 
amplifler 708a; whereas AND gate 707a is 
coupled to aniplifier 709a; one input 
.terminal of AND gate 706a is coupled to 

50 one input tenninal of AND gate 707a. The 
output terminal of inverter 705a is coupled 
to one input terminal of AND gate 714a and 
719a; the output terminal of amplifier 708a 
is coupled to the input terminal of AND 

55 gate 7 1 3a and the output terminal of 
amplifier 709a is coupled to the input 
terminal of AND gate 7l8a- 

The signals applied to the inputs of AND 
gales and the signals derived as outputs 

50 irom amplifier, inverters, or flip-flops arc 
designated by letters forming a special 
code. Since both data signals and control 
signals are either applied or derived there 
are two codes, one code for the control 

b5 signals and one code for the data signals. 
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The code for the control signals arc 
previously described in detail and is 
sununarized here. Briefly the first two 
characters of a control signal indicate the 
destination of data to be transferred; the 70 
third character indicates whether a full or 
partial transfer is to be effected with the 
letter F indicating full transfer and any 
other character indicating a partial 
transfer; the fourth and fifth character 75 
indicates the source of the data, and if the 
source is identified by more than two letters 
only the last two letters need be used; the 
sixth and seventh characters arc usually 
numerals and indicate whether the signal is 80 
high or low i.e. an odd numeral in the sixth 
position indicates assertion and an even 
numeral in the sixth position indicates 
negation; the seventh position indicates 
whether this is the first, second, third, etc. 85 
level of occurrence of the signal. Data, on 
the other hand, is indicated dSferently. The 
first three characters of data indicates the 
source of the data, the fourth and fifth 
characters which may be numerals indicate 90 
the bit portions where the data is located in 
the soorce, and the sixth ami seventh 
position are similar to the control signals in 
that they indicate whether the sigEiaf is high 
CHT low and the level of occurrence of the 95 
signal. Generally the format itself indicates 
whether the signal is a control signal or a 
data signal and by reference to Figures 5 
and 6 the source and destination may be 
determined. There arc exceptions to thb 100 
general rule and they will be spelled out in 
the specification, and addenum. 

As an example of this convention it will 
be noted on Figure 7a that the following 
signals arc control signals: UWFABll, 105 
UWFABIO. UW9QA10. The following 
signals arc data signals UAB3410, 
UAB32I0, UAB3510. UAB3310, QAOOllO. 
and QAOOOIO. The following signals are 
exception PDARGIO is a timing signal 110 
whose source is the PDA clock; 
UWHOLIO is a hold signal for holding the 
information in the flip-flops 715a and 720a 
UW(»K10 and UWIBKIO are back-up 
logic whose main function is to extend the 115 
input capabilhy of flip-flops 715a and 720a 
by connecting the UW register which is in 
fact formed by flip-flops /15a and 72Qa, to 
bit zero and bit I represented hy flijv-flops 
715a and 720a respectively; and finafiy 120 
USCLRIO is the clear signal for clearing 
and setting the flip-flops to zero. 

As an illustration of the above mentioned 
convention herein adopted the signal 
UWFABll applied to the input of one- 125 
legged AND gate 702a is a control signal 
which transfers data {bits 34 and 35) 
contained in UAB associator buffer 611 
(the U in the signal has been omitted) to 
U W register 504 and is a full transfer to the 1 30 
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UW register 1; the odd number indicates to an input of AND gate 7l4g. The 
the signal is assertion. Signal UWFABIO UOHOLIO signal generated by inverter 
applied to the input of one-legged AND 705g is also coupled to an input of AND 
gate 703a is a control signal with the same gate 709g and 714g and is utilized to hold 
5 source and destination as the signal applied information in the UO register 512. XOO 70 
to AND gate 7a2a except that bus 32 and 33 represents a ground, whereas XNU means 
of UAB are transferred to UW register. The unused input, 

sienal UW9QAI0 applied to one-legged Figure 7f is a detailed logic block 
AND gate 704a is also a control signal diagram of UP register 501. It is similar to 

10, wherein data is transferred from QA bus Figure 7g described supra except that 75 
614 to the UW register and may be a partial different signals from different destinations 
transfer. The signal QAOOOlO applied to and different sources are applied. 
AND gate 706a is a data sicnal where data Referring now to Figure 7h there is 
is on QA bus 614 (the third position is not shown the detailed logic block diagram of 

15 herein utilized since the first two positions UM register 502, AND gate 701h--TO4h are 80 

adequately describe where the data is) and OR'cd together to produce the UMHOLIO 

Uiis data signal represents the bh identified hold signal via inverter 705h AND gates 

as 00 on QA bus 614. The signal QAOOl 10 is 706h— 709h arc OR'cd together and arc 

similar to the previous signal except the coupled to the input of AND gate 704h in 

20 data identified bv this signal is the data on order to extend the range of signals that 85 

position 01 of the QA bus 614. Thus by may be applied to produce the UMHOLIO 

utilizing this convention and Figures 5 hold signal. Similarly AND gates 

through 9 the ring protection hardware is 71 Ih— 714h are OR*ed together and 

fully defined and may be easily built by a coupled to the input of AND gate 723b in 

25 person of ordinary skill in the computer art. order to extend the raqgc of signals that 90 

Referring to Rgurc 7B there is shown the may be applied to Hip-flop 730h; and also 

detailed logic block dia^am for UV register AND gates 7 16h— 71wi are OR*ed tc^ether 

503. Signal UVHOLIO is a hold signal for and are coupled to the input oi AND gate 

UV register 503 which is generated via 727h in order to extend the range of s^als 

30 inverter 703b when none of the one-legged applied to flip-flop 731h. A line 740h for 95 

AND gates 701b— 708b has a high signal applying the PDA signals lo flip-flop 730h 

applied to it. UVHOL 10 signal is applied to and 73 1 h is coupled at point 73% and 735h 

AND gate 723b and causes information respectively. The inputofAND gate 703fa is 

stored in the UV register 503 to be held also expanded to provide two further inputs 

35 therein. Signal UVHOLIE coupled to the URNIPOO and IKNUMIO by coupling the 100 

input of AND gate 704b and to the ou^uts output of amplifier 733h to the input of 

of AND gates 705b~-708b extends the AND gate 703h. 

number of control signals that may Referring now to F^rcs 7c — ^7e there is 

generate the hold signal UVHOLIO. Signal shown detailed logic block diagrams of 

40 UVOBKIO coupled to the outputs of AND write exception control logic 590, IFU 105 

gates 710b — ^7 13b and to the input of AND subcommand control l<^c 591, and read 

gale 722b is also utilized to extend the violation exception control logic 592 

number of inputs signals that may be respectively. Referring first to Figure 7c 

applied to flip-flop 724b. Signal there is shown flip-flops 705c and 7I0c 

45 UVIBKiO coupled to the outputs of AND which correspond to flip-flops 541 and 540 1 10 

gates 7 16b — 718b and to the input of AND respectively. Under a micro-operation 

gate 727b similarly extends the number of URW2F10 subcommand the information in 

input signals that may be applied to flip-flop flip-flop 710c is transferred to flip-flop 

729b, 7Q5c, The UWVlHlO hold signal is utiliied 

50 Referring now to Figure 7g there is to hold the information transferred to flip- 1 15 

shown the detailed logic block diagram of flop 7lOc, whereas the UWV2HI0 signal is 

UO register 512. AND gates 70lg — ^704g are utilized to hold the information transferred 

OR' ed together and their output is applied to flip-flop 705c, Similarly in Figure 7d 

as an input to inverter 705g. AND gates information is transferred from flip-flop 

55 706g— 709g are also OR'ed together and 7I0d to flip-flop 705d under micro- 120 

their outputs are coupled to flip-flop 7IOg. operation signal URNS W 10, and in Figure 

' Also one input of AND gate 709g is coupled 7e information from flip-flop 7IOe is 

to the UOOOOiO terminal of flip-flop 710g. transferred to flip-flop 709e under control 

AND gates 7llg— 7l4g are also OR'ed of micro-operation signal URW2F10. • 

60 together and are similarly coupled to flip* Referring now to Figures 8a, 8b and 8d 125 

flop 71 5g, It will be noted also that an input there is shown detailed logic block 

of AND gate 706g is coupled to an input of diagrams of UWV logic 506, UWEP logic 

ANDgaic7llg;aninputof ANDgate707g 507, and UMR logic 505 respectively, 

is coupled to an input of AND gate 7i2g Referring first to Figure 8a there is shown 

65 and an input of AND gate 709g is coupled logic for generating a high signal when one 130 
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of the test conditions 510 is true and also for 
generating the execute violation signal 
when the contents of UW register is less 
than or equal to the contents of UM 
5 register is less than or equal to the contents 
of UV register is not true. When the signal 
UWLEVIO is generated it indicates that the 
contents of UW register 504 is less than or 
equal to the contents of UV register 503. 
iO The logic for generating this signal was 
derived pursuant to the following Boolean 
expression: 



Xi«CBCS)+<ABTJ)x(AC) 

Where Xj represents the output of 
1 5 amplifier 805a and the various letters of the 
expression represent different input 
terminals of AND gates 801a-'804a. 

An indication that the contents of UV 
register 503 is greater than or equal to the 
20 contents of UM register 502 is had when 
UVGEM 10 signal is generated. This signal 
is generated via inverter 820a in response to 
various inputs on AND gates 816a— 819a 
which are OR^ed together and coupled to 
25 the input of inverter 820a. The logic for 
generating the UVGEM 10 signal is made 
pursuant to the following Boolean 
expression: 



X^BCD>f.(ABD)+(AQ 

30 Ad indication that the contents of UM 
register 502 is greater than or equal to the 
contents of UV register 503 is indicated by 

fenerating signal UMGEVIO via inverter 
10a in response to the various inputs of 
35 AND gates 806a— 809a which are OR'cd 
together. The logic for generating this 
signal is derived from the following 
Boolean expression: 



xmbC15mabD)+{ac) 

40 (Wherein Xj is the generated output 

signal). 

Similarly the UVEQMIO signal is 
generated pursuant to the following 
Boolean expression; 



45 X4=(AC)+(AC)+(B DH(BD) 

Generation of the UVEQUMIO signal 
indicates that the contents of the UV 
register 503 is equal to the contents of the 
UM register 502. 

50 The generation of the UMGEWIO signal 
indicates that the contents of the UM 
register 502 is greater or equal to the 
contents of the UW register 504 and is 
generated pursuant to logic having the 

55 following Boolean expression: 



XHBCD)+{ABD>+(AC) 

Generation of the UMGTWIO signal 
indicates that the contents of UM register 
502 is greater than the contents of UW 
register 504 and this signal is generated by 60 
logic defined by the following Boolean 
expression: 

X^ABBH^D+A) 

The generation of the UWGMVOO signal 
indicates that the contents of UW register 65 
less than or equal to the contents of UM 
register less than or equal to the contents of 
UV register is not true. It is obtained when 
the UVGEM 10 signal indicating that the 
contents of UV register is greater than or 70 
equal to tht contents of the UM register, 
and the UMGEWIO signal indicating that 
the contents of the UM register is greater 
than or equal to the contents of the UW 
register are both higji. 75 

Referring now to Figure 8b a UMEQPIO 
signal is generated by logic derived from 
the following Boolean expression: 



Xe<ACKACH(B'&MBD) 

When this signal is hi^ it indicates that 80 
the contents of UM register 502 is greater 
than the contents of UP r^gist^ 501. 

Referring to Figure 8d there is shown the 
dctafled logic block diagram for peiformmg 
the operations of UMR lo^c 505 shown on 89 
Figure 5. One of the operations of this logic 
is to determine the maximum value of the 
contents of UP register 501 and of bits 2 and 
3 of UBS 10^606. In order to do this there 
must be an indication whether contents of 90 
UP is less than the contents of UBS or the 
contents of UP is greater than the contents 
of UBS. The generation of UPBEB 10 signal 
indicates that the contents of UP register 
501 is less than or equal to bits 2 and 3 of 95 
UBS logic 606; whereas the generation 
signal UPGTB 10 indicates that the contents 
of UP rOTSter 501 is greater than bits 2 and 
3 of U6S logic 6(i6. These signals are 
generated by logic which has been defined 100 
by the following Boolean expression: 



X,=(BCD)+{ABD)+(AC) 

Where Xg is the output of inverter 805d 
and the letters of the expression are various 
inputs of the AND gates 80ld--803d. 105 

To illustrate how the maximum value of 
the contents of UP register and UBS loRic 
may be determined by the output signals 
UMPBOlO and UMPB 1 10 of arapUfier 8t4d 
and 817d respectively, assume first that the 1 10 
contents of register UP are less than or 
equal to bets 2 and 3 of UBS loeic because 
bh 2 is 1 and bit 3 is 1 whereas uB register 
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contains 01. This is indicated by the signal 
UPLEBIO being high and the signal 
UPGTB 10 beinglow since it is the inverse 
of signals UPLEftlO. This high UPLEBIO 
5 signal is applied to one input of AND gate 
8 1 3d and also one input of AND gate S06d. 
If bit 2 of UBS logic is a i as indicated by 
signal UBS0210 then AND gate 813d is 
enabled and signal UMPBOIOgoes high and 

to indicates that bit 2 on UBS logic is a 1. 
Moreover if bit 3 of UBS logic is a 1 
indicated by input signal UBS03I0 being 
applied as another input of AND gate 816d 
then AND gate 816d is enabled and signal 

15 UMPBIIO is high or a I. Therefore under 
the assumed conditions where bits (2, 3) 
UBS logic is greater or equal to the 
contents of UP register the maximum value 
of the two quantities is lo UBS, and its 

20 number is binary 1 1 or decimal 4. Hence it 
is seen how a comparison is first made to 
determine which hardware contains the 
maximum, and then a determination is 
made as to the value of that maximum. By 

25 similar analysis one may see how the value 
of the UP register may be deterrained by 
signals UMPBOlO and signals UMPBIIO 
when the contents of UP reg^er is greater 
than the second and third bit <^ UBS logic. 

30 Similarly the maximum value of UM 
register 502 or UV register 503 may be 
determined by signals UVGEMIO and 
UMGTViO rc«>ectivcly, when UV register 
503 is greater than or equal to UM register 

35 502, and conversely ^en UM register 502 
is greater than UV register 503. 

Referring now to Figures 9a^i a legend 
of symbols utilized in Figures 7 and 8 is 
shown. Figure 9a shows the symbol when 

40 there is a connection internally within the 
logic board. Figure 9b illustrates an output 
ptn connection. Figure 9c indicates an 
input pin connection and is generally a 
source outside of the logic board 

45 illustrated. Figure 9d is the symbol utilized 
for an AND gate. Figure 9c is the symbol 
utilized for an amplifier; whereas Figure 9f 
is the syrhbol utilized for an inverter. Figure 
9g illustrates three AND gates 901g— 903g 

50 that arc OR^cd together thus causing 
output 904g to go high when any one of 
AND gates 901g— 903g is high. Figure 9h 
shows the symbol of a flip-flop having a 00 
reset terminal and a 10 set terminal. A PDA 

55 line supplies the clock pulse for causing the 
flip-flop to switch states when other 
conditions are present on the flip-flop. 
Figure 9i represents a micro-operation 
control signal. 

60 In order to enforce the ring protection 
scheme between procedures executing in 
different rings, the invention employs push- 
down stacks for its procedure linkage 
mechanism wherein a portion of each stack 
65 called a stack frame is dynamically 



allocated to each procedure. Different 
stack segments are used for each ring with 
one stack segment corresponding to one 
ring. Thus when a procedure is executed in 
ring RN its slack frame is located in the RN 70 
stack segment. Referring to Figure 10 there 
is shown three slack segments 100! — 1003, 
with each stack segment having stack 
frames SI — S3 respectively. Ring 3 is 
assigned to stack segment 1001, ring 1 75 
assigned to stack segment 1002 and ring 0 is 
assigned to stack segment 1003. V^thin 
each stack segment there is a procedure 1 L 
associated with stack frame SI of segment 
lOOU a procedure P2 associated with stack 80 
frame S2 of stack segment 1002 and a 
procedure P3 associated with stack frame 
S3 of stack segment 1003. The segmented 
addresses (i.e. segment number and 
segment relative address SEG, SRA) of the g5 
first bytes of the stack segments for rings 0, 
1 and 2 respectively are located in stack 
base words SBWO— SBW2 respectively 
which are in turn located in process control 
black 104. Since the ring 3 stack segment 90 
can never be entered by an inward call (i.e. 
from a ring higher than ring 3) its stack 
starting address is not needed. Each stack 
frame SI, S2, S3 is divided into a working 
area 1005, 1006, 1007 respectively; an 95 
unused portion 1008, 1009, 1010, which is 
utilized for alignment purposes; a register 
saving area lOIf, I0I2, and 1013; and a 
communication area 1014« 1015, and 1016 
respectively. The worldng area is utilized by 100 
its procedure as needed and may contain 
material required by the process such as 
local variables, etc. The saving area of the 
stack frame is utilized to save die contents 
of various registers such as the status 105 
register, the T*register and the instruction 
counter contents ICC. The 
communications area stores information 
which is needed to pass parameters 
between procedures. Pnor to a call to a 110 
given procedure the user saves those 
registers he wishes saved and moreover 
loads into the communication area the 
parameters to be passed to the called 
procedure. When the call is made, the 115 
hardware saves the contents of the 
instruction counter and other specified 
registers to facilitate a return from the 
called procedure. Each procedure call 
creates a stack frame within a stack 120 
segment and subsequent procedure calls 
create additional frames. Hence a stack is 
created and consists of a number of 
contiguous parts called stack frames which 
are dynamically allocated to each 125 
procedure. These stacks reside in stack* 
segments. Generally the first stack frame is 
loaded into the beginning of the segment 
and succeeding frames are loaded afler it. 
The last frame loaded is considered the top 130 
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of ihe slack. A T-re^sler 1 14 oa Figure 1, 
locates the top of the stack for the ctirrenUy 
active process. A procedure such as for 
example P i which is executing in ring 3 may 
S ca!) a procedure P2 executing in ring 1 
which in turn calls a procedure P3 which is 
now executing in ring 0. As each procedure 
is called it creates within its ring stack 
segment a stack frame (i.e. dcfim'ng the 

10 environment for the procedure execution) 
and the T-rcgistcr 1 14 is loaded which gives 
the address of the top of the stack for the 
current active process. The procedure PI 
(as previously assumed) may call procedure 

1 5 P2 which in turn may call procedure P3 and 
since these calls are from a higher ring 
number to a lower ring number a ring 
crossing entailing an inward call is required 
and is accomplished in a manner to be 

20 described infra. During each change of 
procedure the necessary registers and 
parameters are saved in order to facilitate a 
return from the called procedure. 

A procedure is always accessed through a 

25 procedure descriptor 1 1 10 by means of the 
ENTER PROCEDURE INSTRUCTIONS. 
The formal of the ENTER PROCEDURE 
INSTRUCTION 1 100 is shown on Figure 
lla. The operation code (OP) 1101 

30 occupies bit positions 0 through 7. The 
complementary code 1 102 is a one bit code 
and occupies bit nosition 8 to 9; if the 
complementary coae is set to logical 1 the 
instruction is ENT. whereas if the 

35 complementary code is loeicaJ 0 the 
instruction is ENTSR and the base register 
must be base register 0 (BRO). The address 
suitable AS 1104 occupies bit positions 12 
thru 31 and provides the address syflable 

40 AS of the procedure descriptor 1 1 10. When 
an ENTER PROCEDURE 
INSTRUCTION requires a ring crossing a 
gating procedure descriptor 1120 is 
obligatorily accessed. This is indicated 

45 the GS field 1302 of segment descriptor 
1301 being set to logical 10. Generally the 
GS field is set to 10 when one of the 
ENTER PROCEDURE INSTRUCTIONS 
As utilized. As described in the application 

50 No. 21630y76. Serial No. 1,465,344, the 
segment descriptor is utilized to point to the 
base of the segment desired, in this instance 
the segment 1300 containing gate 
procedure descriptors GPD 1 120. The first 

55 word of the segment 1300 containing the 
gating procedure descriptors (GPD's) is 
formatted as shown in Figure lie. The 
TAG 1121 occupies bit positions 0 and I 
and must indicate a fault descriptor i.e. the 

60 TAG field must be set to logical IK The 
Callefs Maximum Rin§ Number CMRN 
1122 occupies bit positions 2 and 3, and 
indicates the maximum ring from which a 
calling procedure through the gated 

65 procedure descriptor GPD is legal. A call 
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violation exception is generated if the 
caller s ring number is greater than CMRN 
1 122. The gated procedure descriptor 
address boundary GPDAB 1124 occupies 
bit positions 10 through 31 and it must be 70 

freater than the segment relative address 
RA (i.e. the GPD^s displacement in the 
segment of procedure oescriptors 1300), 
otherwise an illegal GPD access exception 
occurs. Thus a gating procedure descriptor 75 
GPD is utilized as the first word of the 
segment containing procedure descriptors 
and is mflized to determine whether the 
caller has a right to access the segment via 
the caller's maximum ring number CMRN 80 • 
and whether or not the procedure 
descriptor called is within the gating 
procedure descriptor's address boundary. 
Once it is determined that there is a legal 
call to the segment and the caller has a ri^i 85 
to enter the segment the address is obtained 
from the address syllable AS 1 104 of enter 
instruction 1100 and the reciuired 
procedure descriptor II 10 (see also Figure 
13} is accessed. The format of procedure 90 
descriptor 1 110 is shown on Figure I lb and 
is comprised of two 32 bit wonk — word 0 
and 1 respectively. Word 0 contains the 
segmented address 1 1 13 of the entry point 
EP of the procedure desired. The 95 
segmented address, as is the case with the 
segmented address of any operand, is 
comprised of the segment number SEG and 
the segment relative address SRA. Word 0 
of the ^ocedure descrqrtor includes an ](X) 
entry point ring number EPRN 1112 and a 
TAG field 1 1 1 1. The value of the TAG is 
interpreted as follows: 

a. if the TAG contains logical <X) the 
procedure descriptor is direct; 105 

b. if the TAG is logical 01 the procedure 
descriptor is an extended descriptor and 
includes word I makir^ a total of two 
words; 

c. if the TAG is logical 10 the procedure 1 10 
descriptor is indirect ^nd an illegal 
procedure descriptor exception occurs; and 

d. if the TAG is logical 1 1 it is a fault 
procedure descriptor and an exception 
occurs. 115 

Word I of the procedure descriptor is 32 
bits long and is utilized when the TAG 
indicates an extended descriptor and 
contains the segmented address of a linkage 
section whose contents arc loaded in base 120 
register BR 7 at procedure entry time. 

Referring to Figure 12 a portion of the 
ENT instruction is shown and more 
specifically thai portion which pertains to 
the ring crossing and ring checking 125 
requirements. The ENT instruction is 
called, 1201 and a comparison is made 1202 
wherein the segmented part of the base 
register BRn is compared to the segmented 
part of the address of the T register, and if 130 
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they are not e<)ual an illegal stack base 
register 1208 is indicated. U on the other 
hand they are equal another comparison 
1203 is made wherein the 30th bit including 
5 the next two bits (i.e. bits 30 and 3 1 ) of base 
register, BRn is compared to 0 and if it is 
not equal to 0, then once again an illegal 
stack base register 1208 is indicated. If it is 
eoual to 0 it indicates that the contents of 

10 BRn is aligned with respect to the word 
boundary and another comparison 1204 is 
performed to determine that the TAG of 
BRn {i.c. the two bits starting from bit 0) is 
equal to 0. A TAG having a logical 0 

15 indicates information is accessed via a 
direct descriptor which is one of the 
requirements of the ENT instruction. If the 
TAG (i.e. bits 0 and f of BRn) is equal to 0 
then the functions staled in flow charts of 

20 Figures 14 through 16 are performed (see 
flow chart Figure 12 block 1205). If these 
meet the necessary requirements a further 
check 1206 is made to determine whether 
the segment relative address of the entry 

25 point which was given (SRA^p) is even, 
because instructions start on a half-word 
boundary. If it is not even then an illegal 
branch address exception is generated 1209 
however if it is legal the ENT instruction is 

30 executed 1207 via further steps not shown. 
Referring now to the flow charts of the 
access checking mechanism Figures 
14 — 16, generally the following operations 
are performed each time the instruction 

35 ENTER PROCEDURE is issued; 

a. the caller's right to call the callee is 
checked by first determining from the 
second word of the segment descriptor the 
call bracket in which the caller is executing. 

40 (The call bracket is determined by uking 
the minimum ring number from the write 
ring number field WR and the maximum 
ring number from the maximum ring 
number field MAXR). 

45 b. a decision is made about the next 
process ring number by determining 
whether the caller is in the same caff 
bracket as the callee, which implies don*t 
do anything; whether the caller is in a call 

50 bracket requiring that he make an outward 
call in which case an exception condition is 
generated which is handled by a mechanism 
not described herein; or finally whether the 
caller is in a call bracket which requires an 

55 inward call (i.e. going to a call bracket 
which retjuires ring crossing from a 
larger ring number to a smaller 
ring number in which case the 
ring crossing must be at a valid entry 

60 point EP and the entry point must be 
validated). 

c. a stack frame is created for the callee 
(i.e. space in the aforementioned format of 
the appropriate segment is allocated)* and 



the stack frame and the stack frame (,5 
registers are updated; 

d. a branch to the entry point of the 
procedure pointed to by the procedure 
descriptor is performed. 

Referring now to Figure 14 the access 70 
checking is started 1401 by obtaining the 
address syllable AS containing the eflective 
address ring number EAR, the segment 
number of the procedure descriptor $£G|o« 
and the segment relative address of the . 75 
procedure descriptor SRAp^. Having 
developed this information the procedure 
descriptor 1110 is fetched 1403 from 
(SEGpp, SRApo) ignoring access rights to 
scralch pad memory. The procedure 80 
descriptor 1 1 10 will yield the TAG which 
determines whether the descriptor is direct, 
extended, indirect, or a fault descriptor; the 
entry point ring number EPRN; the 
segment (SRAe,) which contains the entry 85 
point and the segment relative address 
(SRAp.) of the entry point. The TAG is 
tested 1404 to determine whether the 
descriptor 1 1 10 is direct, extended, indirect 
or a fault descriptor fay checking ks field in 90 
accordance to the code hereinbefore 
described. Only a direct or extended 
procedure descriptor is legal. An indirect or 
tauh descri|Kor is illegal and upon access 
invokes an exception mechanism not herein 95 
described. Once it is determined that a leg^ 
procedure descriptor has been arcewed the 
actual cM right checkiQg begins at point A 
1405. y» 

Referring now to Figure 15 and 100 
continuing from p<Mnt A 1405 the maximum 
ring number MAXR, the write ring niamher 
WR, and the execute permission Int £P of 
the segment containing the entry points 
SEGfip are fetched; this information is 105 
contained in the segment descriptor for the 
segment containing the entry points 
(SEGs,). The write ring number WR is 
compared to the maximum ring number 
MAXR 1503 and if the write ring number 1 10 
WR is greater than the maximum ring 
number MAXR the segment is 
nonexecutable and an execute violation 
exception 1513 occurs. If the write ring 
number WR is less than or equal to the 115 
maximum ring number MAXR then the 
execute permission bit EP is compared to 
logical 1 and if the EP bit is not logical 1 
then once again an execute violation, 
exception 1513 occurs; however if the EP 120 
bit is equal to one the effective address ring 
number EAR of the calling procedure is 
maximized with EPRN to give a new 
EAR,,— IMAX (EAR, EPRN)} where 
EAR, is the maximum of PRN as found in 125 
the instruction counter IQ and all ring 
numbers in base registers and data 
descriptors, if any. found In the path which 
leads to the procedure descriptor. The 
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effective address ring number EAR, is then gated procedure descriptor access 
compared 1506 to the maximum ring exception 1614 occurs. However if it is 
number MAXR of the MAXR segment within the address boundary of the gated 
descriptor of SEGgp which is the maximum procedure descriptor (i.e. SRA^ is Jess 
5 nng number at which a procedure may than GPDAB) then the caller's right to call 70 
execute. If EAR, is greater than MAXR the the callee is checked 1608. This is 
procedure call is an inward call which performed by comparing the effective 
requires that the procedure be entered by a address ring number EAlt to the caller's 
valid entry point and the access chcckjng maximum ring number CMRN 1122 as 

10 operation branch to point B 1507. The found in the first word 1 120 of the segment 75 
followmg checkmg operations arc then of procedure descriptors 1300. If EAR, is 
performed: ^catcr than the caller's CMRN a call 

a. the SEGgy is checked to determine if violation exception 1615 occurs which 
it is a legal gate segment; and, indicates that the caller in this partioilar 

15 b. the callefs maximum ring number instance has no right to legally call inward SO 
CMRN is checked to determine if it is i.e. from a higher ring number to a lower 
greater than or equal to the efTective ring number. On the other hand if EAR, is 

address ring number EAR of the caller. equal or less than CMRN. then the inward 

If these conditions are not true then an c^l is legal and a check is made 1609 to 

20 iHcpl gate segment exception 1603 or call determine that the process ring number 85 

violation exception 1615 occurs. PRN which is the current process ring 

Referring now to branch point B 1507 of number found in the instruction counter IC 

Figure 16 the first check 1602 that is made just before the call was made is less than the 

is to determine whether or not the maximum ring number MAXR of SEG^; 

25 segment which contains the i^ocedure and if it is the accessing mechanism 90 

d^riptors is a gate segment This is done branches to point C 1508, otherwise a new 

by examining the Gating/Semaphore field process ring number NPRN is calculated 

GS of the segment descriptor pointing to and set to a maximum ring number MAXR 

the segment of procedure descriptors, to 1611. Generally the effective address ring 

30 determine if it is set to logical 10. If the GS number EAR, is the same as the process 95 

field of the segment descriptor of the ring number PRN of the caller. Sometimes 

segment containmg procedure descriptors however, in cases where it is necessaxy to 

is set to 10 it is then a gate segment and tl^ give maximum assurance that the caller will 

Hrst word of the segment containing not be denied access to a given segment the 

35 procedure descriptors is a gated procedure EARj is greater than the PRN. In those 100 

descriptor GPD 1120 of Figure IIC and cases I RN is forced to take the value of 

Figure 13. The first word 1120 of the EAR^ in order to make sure that the call is 

segment containing procedure descriptors returned to the maximum ring number 

is then fetched from address SEG^ 0 upon an exit To this point h will be noted 

40 ignoring access rights to scratch pad that this checking mechanism was invoked 105 

memory. It will be noted that the TAG field because the EARj was greater than the 

of the first word 1120 of the s^ment MAXR hence greater than the top of the 

containing procedure descriptor SEGro call bracket of the procedure and hence an 

1300 must be a logical II (Figure 13) which inward call was necessary which 

45 indicates it is a fauh descriptor. Moreover necessitated going through a valid gate, and 1 10 

the MBZ field must be set to zero. These the mechanism included these gating 

conditions arc checked by checks. By branching back to C 1508 

hardwareyfirmware (arithmetic logic unit) (Figure 15) a further check 1509 is made to 

stop 1605 and if these conditions do not determine then that the process ring 

50 hold an illegal gate segment exception 1603 number PRN is mater than the write ring 115 

results. However if these conditions do hold number WR of SEGj, which in this context 

a check 1606 is further made to determine is the minimum ring number at which a 

that the segment relative address of the procedure may execute. If the write ring 

procedure descriptor SRApn 1110 is a number WR is greater than the process ring 

55 multiple of 8. If the condition of step 16(^ number PRN an outward call exception 120 

does not hold an illegal system object 1514 occurs. However if WR is less than or 

address exception 1613 results otherwise equal to PRN the call is legal and NPRN is 

the next step 1607 is performed. Step 1607 set to PRN 1510. 

checks 10 determine whether or not the Having made the above checks the 

60 segment relative address of the procedure inward call is made, and after performance 125 

descriptor SRApo is within the address of the desued operation a return back to 

boundary GPDAB 1124 of the gated the original point of the program in 

procedure descriptor 1120; if it is not within execution is made by the EXIT 

that address boundary it is an ill^al INSTRUCTION. During the ENTER 

65 procedure descriptor and an iUegal GPD INSTRUCTION the instruction counter IC 130 
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was saved in the saving area of the caller's 
stack frame before making the call. 
Moreover the caller's ring number was also 
saved during the ENTER INSTRUCTION 
and this was saved in base register 0 BRO. 

The format of the EXIT INSTRUCTION 
1130 is shown on Figure I ID. The 
0[ieration code OP 1131 is found in bit 
positions 0 — 1 and the complementary code 
C 1133 is found in bit positions 12 — 15. The 
complementary code allows other 
instructions to use the same 8 bit op code. 
The MBZ field 1 132 in bit positions 8 — 1 1 
must be 0 otherwise an illegal format field 
exception occurs. (BRO is generally a 
pointer to the communications area of the 
caller's stack frame). 

In performing the EXIT INSTRUCTION 
it is necessary to perform predetermined 
checks in order to ascertain that the caller 
didn^t change his image which would 
pennit him to operate a a difTerentpriviiege 
than was intended. Referring to Rgure 17 
the first check performed 1701 is to 
determine if the TAG of the instruction 
counter content (ICC) indicates a direct 
descriptor. A logical 00 in the TAG Held 
indicates that it is direct if it is not an illegal 
stack data exception 1702 occurs, whereas 
if it is equal to 0 the rang field in the 
instruction counter content ICC is set to 
the new process ring number NPKN 1703, 
This sets the new process ring number 
NPRN to what it used to be when the call 
was first made. However further checks arc 
made in order to ascertain that there was no 
further cheating. Hence the base i^jstcr 0 
ring number located at bit portion 2 and 
extending for 2 bit positions from and 
including bit position 2 must be coual to the 
new process ring number NPRN 1704. (It 
will be recalled that when the ENTER 
INSTRUCTION was called the ring 
number of the caller before the caD was 
made was stored in bits 2 and 3 of base 
register 0 (BRO). If check 170* indicates thai 
the new process ring number NPRN is not 
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equal to the ring number in bit positions 2 
and 3 of the base register 0 (B RO) an illegal 
stack data exception 1702 occurs. The next 
check 1705 determines whether an inward 
or an outward return must be performed. 
Since an inward call was {>reviously 
performed an outward return is implied in 
order to reach the origuial point from 
which the procedure was called. Moreover 
since the invention does not pennit an 
outward call there is never a necessity to 
return inward. Hence the new process ring 
number NPRN is compared to the process 
ring number PRN 1705, and if NPRN is less 
than PRN an inward return is implied and 
an inward return exception 1706 is 
generated. However if check 1705 is passed 
successfully (i.e. NPRN is greater or equal 
to PRN) then a. check is made to determine 
that a return is made to the segmented 
address SEGr that called the procedure and 
a return to the call bracket of the calling 
procedure is made and moreover that the 
execute bit EP is set This is performed by 
fetching the segment descrif^r SEGr of 
the caDing procedure 1707 and making 
checks 1709, 1711, 1712. In performmg 
checks 1709, 1711. 1712, check 1709 aal 
1711 determine that the new process ring 
number NPRN is greater than the minimum 
ring number WR but less than the 
ma x imum ring number MAXR&e. that the 
ring number is in the call bracket of the 
calfing procedure ^ere it should be). 
Finally check 1712 makes sure thm tte 
execute permission bit £P is set to ! . Thus a 
full cycle is concluded a call was p^ormed 
via an ENTER INSTRUCTION; the 
required operation or processing was 
performed via the called procedure; tiien a 
return via an EXIT INSTRUCTION to the 
calling procedure was performed. 

Having shown and described the 
preferred embodiment of the invention, 
th<»e skilled in the art will realize that many 
variations of modifications can be made to 
produce the described invention and still be 
within the scope of the claimed invention. 



Glossary of Terms 

JOB— The job is the major unit of work for the batch user. It is the vehicle for 

describing, scheduling, and accounting for work he wants done. 
JOB STEP— A smaller unit of batch work. It is generally one step in the execution 
T-Aov ^[ ^ job consisting of processing that logically belongs together. 
TASK— The smallest unit of user-defined work. No user*visibJe concurrency of 

ODeration is permitted within a task. 
PROGRAM— A set of algorithms written by a programmer to furnish the 

procedural information necessary to do a job or a part of a job. 
PROCESS GROUP PLEX— The system's internal representation of a specific 

execution of a job. . 
PROCESS GROUP— A related set of processes, usually those necessaiy for 

performance of a single job step. 
PROCESS— The controlled execution of instructions without concurrency. Its 

physical representation and control are determined by internal system 

design or convention. 
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Glossary of Terms (conL) 
PROCEDURE— A named software function or a^orhiim which is executable by 
a computational processor without concurrency. Its physical 
representation (code plus associated tnformatian, invocation, and use 
5 are determined by internal system or designed canvention). 

LOGICAL PROCESS— The collection of hardware resources and control 

information necessary for the execution of a process. 
ADDRESS SPACE (S£GMENTAT10N>-The set of logical addresses that the 
CPU is pennitted to transform into absdute addresses during a 
10 particular process. Ahhoi^ a processor has the technical ability of 

addressing every single ceuof timing memory, it is desirable to restrict 
access only to those ceils that are used during mc process associated with 
the processor. 

LOGICAL ADDRESS— An element of the process address space such as for 
15 example segment number SEG and Displacement D. 

BASIC ADDRESS DEVELOPMENT— A hardware procedure which operates 
on a number of address elements to compute an absolute address which 
is used to refer to a byte location in core. 
PROCESS CONTROL BLOCK— A process control block PCB, is associated 
20 ^th each process and contains pertinent information about its 

associated process, including the abscrinte address of tables defining the 
segment tables the process may access. 
J. P. TABLES — ^A collection of logical addresses for locating a process control 
block associated with a process. 
25 SEGn— -The segment which contains the procedure descriptor. 

SEGE^The segment which contains the entry point, as found in the pixx:edure 
descriptor. 

PRN — The process rin£ number, found in the instruction counter IC just before 
the can, or calculated by the ENTSR instructkm. 
30 EAR— The effective address ring number which is the maximum of: 
(a) the process ring number PRN as found in the IC: or 

!b) all ring numbers in tiie base register and data descriptors (if any) 
bund in the path which leads to ike piocednre descrintor fhim the call 
instruction, mduding the entiy pooit ring number EPRN located in the 
35 procedure descriptor itsdf. 

M AXR — ^The maximum nng number at which aprocedure may execute; MAXR 

is found in the segment descriptor of SEGf^ 
WR— The minimum ring number at which a procedure may execiite;WR is found 
in the segment descriptor of 
40 £P — Execution permit bit found in the segment descriptor SEGj^ 

CMRN— The caller's maximum ring nunmer, as found in the first word of the 
segment SEGpo if this segment is identiiled as a gate segment (Le. with 
the code "gate" set). 
NPRN — New process ring number. 
45 EPRN — ^Entry point ring number (foimd in the process procedure descriptor). 
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Signal Name 

(1) WSCLR 

(2) PDARG 

(3) PDURGIT 

(4) UWOBK 

(5) UWHOL 

(6) UWIBK 

(7) UWOOOOO 

(8) UWOOOlO 

(9) UWOOlOO 
UWOOllO 

(10) UVSPS 



Type 

Control 
Control 
Connecting 

Connecting 
Control 

Control 



Function 



Control 



Gears register to which it is connected. 
Clock Signal PDA. 

Pin connected to PDA at one end and 

resistor at the other. 
Expands inputs to UW register. 
Holds information in register to which it is 

connected. 
Same as UWOBK but is connected to 

different input terminal of UW register. 
Reset terminal of one flip-flop of r^[ister 

UW. 

Set terminal of flip-flop of register UW. 
Same as 7-4-8 but different flip-Oop. 

Spare Control Input. 
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Signal Name 

(11) UVSPD 

(12) UVOBK 

(13) UVOOOOO 
UVOOOlO 
UVOOlOO 
UVOOIIO 

(!4) UWViS 

(15) UWVID 

(16) UWV2F 

(17) UWVIS 
UWV2S 

(18) UWVID 

(19) UWVIH 

(20) UWVIC 

(21) UWV2C 

(22) URN IS 
URN2S 

(23) URN ID 

(24) URNSW 

(25) URN2F 

(26) URNIH 

(27) URN2C 

(28) URWIS 
URW2S 

(29) URWID 

(30) URV2F 

(31) XNU 

(32) XOO 



Addendum (cont) 

Type Function 
Data Sparc Data Input. 

Expander Same as UWOBK and UWIBK, but it 

connects different registers and gates. 
Same as UWOOOQO, UWOOOlO, UWOOlOO, 
UWOOllO, but applies to flip-flop UV. 



Control Control input for UWVIF, 

Data Data input for UWVIF, 

F/F Write control flip-flop. 

Control Control unit for UWVIF, UWV2F. 

Data Data input for UWVIF. 

Control Hold UWVIF flip-flop. 

Control Clear UWVIF. 

Control Clear UWV2F. 

Control Control inputs for URNIF, URN2F, 

Data Data Input for URN IF. 

Control Transfer URNI F to URN2F and URN2F to 
URN IF. 

F/F Control loading max (UP, UBSi 3 to UM). 

Control Hold URN IF flip-flop. 

Control Qcar URN2F. 

Control Control inputs for URVlF, URV2F. 

Data Data Input for URVIF. 

F/F Read control flop. 

Indicates tenttinai not used hereio. 

Grounded Input. 



WHAT WE CLAIM IS:— 

1. An internally programmed data 
processing apparatus CPU having a virtual 
memory system, and being rc^nsive to 
internally stored instruction words for 
processing information and having stored in 
said virtual memory system a plurality of 
different types of groups of mformation 
each information group-type associated 
with an address space bounded by a 
segment having adjustable bounds, and 
comprising means for protecting the 
information in said- virtual memory system 
from unauthorized users by restricting 
acccssability to the information in 
accordance to levels of privilege, said 
means comnrising in combination with an 
access checking mechanism; 

(a) first means arranged in operation to 
store in said virtual memory system at least 
one segment table comprising a plurality of 
segment descriptors with each se^ent 
descriptor being associated with a 
predetermined one of said segments and 
each segment descriptor having a 
predetermined format containing an access 
information element and a base address 
element in predetermined positions of said 
format, said base address element being 
used for locating in said virtual memory 
system the starting location of a selected 



one of said segments, and said access 
information elemem for specif^ng the 65 
minimum level <^ privilege requffed for a 
predetermined t^c of access that is 
permitted in a selected one of said 
segments; 

(b) a plurality of second means having a 70 
predetermined format, communicating 
with said first means, arranged to store in a 
predetermined portion of said second 
means, a segment number SEG for 
identifying a segment table and the location 75 
of a segment descriptor within said segment 
table, said second means also being 
arranged to store in a predetermined other 
portion of said second means, an offset 
address within the segment identified by go 
said segment descriptor said offset address 
locating from said segment base the first 
byte of a word within said segment; 

(c) third means responsive to an address 
syllable element of an instruction being $5 
executed for addressing one of said 
plurality of second means; 

(d) fourth means arranged to store a 
displacement from said address syllable, 

(e) fifth means, communicating with said 90 
first, second, third and fourth means, 
arranged to add the displacement D and 
said basa address to said offset; and, 

(0 sixth means responsive to said access 
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information clement in a selected one of 
said segment descriptors, restricting the 
accessability to the segment associated with 
said selected one of said segment 
5 descriptors in accordance to the level of 
privilege and the type of access specified in 
said access information element, wherein 
each group-type of information is 
associated with a predetermined ring 

10 number indicative of a level of privilege 
said level of privilege decreasing as the 
associated ring number increases 
comprising means for determining the 
maximum effective address ring number 

15 EAR {i.e. minimum level of privilege) of a 
selected process to access a selected group 
of information, said means comprising; 

(a) first means to store first information 
indicating the maximum ring number RD 

20 (i.e. minimum level of privilege) required to 
read information from said selected group; 

(b) second means to store second 
information indicating the maximum ring 
number WR (i.e. minimum level of 

25 privilege) rcauired to write information into 
said selected group; 

(c) third means to store third 
information indicating the maximum riog 
number MAXR (i.e. minimum level of 

^ privilege) required to process information 
from said selected group: and, 

(d) fourth means communicating with 
said first, second and third means, to 
determine the maximum of the contents of 

35 said first, second and third means whereby 
the e/Teciive address ring number EAR is 
generated, 

2. Apparatus according to claim 1, 
wherein said second means for storing the 

40 maximum ring number WR additionally 
indicates the minimum ring number Wk 
(i.e. maximum level of pri^ege) required 
to process information from said selected 
group. 

45 3. Apparatus according to claim 1 or 
claim 2, wherein said fourth means to 
generate the effective address ring number 
comprises a comparator for comparing 
binary numbers. 

50 4. Apparatus according to any one of 
claims I to 3 wherein the sixth means 
restricting the accessibility to the segment 
includes comparator means, 
communicating with said second means, to 

55 compare the ciTective address ring number 
EAR with the write ring number WR, and 
further including means communicating 
with said comparator means to generate a 
wrKe-vioIation-cxccption signal when EAR 

60 is greater than WR. 

5. Apparatus according to claim 4, 
wherein the sixth means restricting the 
accessibility to the segment includes seventh 
means, communicating with said second 

65 and third means thereof to. compare the 



maximum ring number MAXR and the 
write ring number WR with the effective 
address ring number EAR, and further 
including eighth means, communicating 
with said seventh means for generating an 70 
execute-violation<xception ^^nal ^en the 
MAXR is not equal or greater than EAR 
which in turn is not equal or greater than 
WR. 

6. Apparatus according to claim 5, 75 
wherein in that the sixth means restricting 

the accessibility to the segment includes 
ninth means, communicating with said first 
means, for comparing the effective address 
ring number EAR with the read ring go 
number RD, and further including 
tenth means, communicating v^ith said 
ninth means, to generate a read-^violation- 
exeption signal when EAR is greater than 
RD. 85 

7. Apparatus according to claim 6, 
wherein in that the sixth means restricting 
the accessibility to the segment indudes 
eleventh means to st<Ke a process ring 
number PRN of a current^ executing 90 
process, and also including twelfth means 

to communicate with said eleventh means* 
and further mcluding thirteenth means 
communicating said said twelfth means for 
overriding said read-violation-exception 95 
signal when the effective address ring 
number EAR is equal to the process ring 
number PRN of the current^ executing 
process. 

S. Apparatus according to any one of the 100 
preceding claims wherein the access 
checking mechanism supervises transfer of 
control of said CPU from a first selected 
procedure (Le. cafler) having a first ring 
numb^ mdicatfve of a minimum level of 105 
privilege associated with said caller, to a 
second selected f^^ocedure (Le. the callee) 
having a second ring number associated 
with said callee indicative of a minimum 
level of privilege associated with said HO 
callee, said access checking mechanism 
comprising 

(a) first means for checking the caller's 
ri^t to call the callee; 

(b) second means, communicating with 115 
said first means, to compare the caller's 
ring number to the callee^s ring number, 

(c) third means responsive to said second 
means to permit a transfer of control of said 
CPU from said caller to said callee when 120 
the ring number of the caller is greater than 

the ring number of callee (i.e. inward call); 
and, 

(d) fourth means also responsive 

to said second means to deny a 125 
transfer of control of said CPU 
from said caller to said callee when 
the ring number of said caller is less than 
the ring number of the callee (i.e. outward 
call). 130 



25 



U483.282 
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20 



9. Apparatus according to claim 8, 
wherein the access checking mechanism 
includes a plurality of ring stack-scgmcat 
means each of said ring stack-segment 
means having associated with it a ring 
stack-segment number, indicative of the 
minimum level of privilege required by a 
selected one of said procedures to access a 
selected one of said ring stack segments. 

10. Apparatus according to claim 9 
wherein there are four ring slack segment 
means having ring numbers 0 to 3 
respectively. 

11. Apparatus according to claim 9 or 
claim 10 wherein the access checking 
mechanism includes stack-framc-element 
means associated with selected ones of said 
procedures, said stack-framc-clcracnt 
means being grouped within said ring stack- 
segment means in accordance with the ring 
number of the associated procedure of said 



25 



stack-framc-clement means, said stack 
frame element means to save said register 
of said caller prior to passing control to said 
callee. 25 

12. Apparatus according to claim II, 
wherein tJie access checkmg mechanism 
includes first sub-clement means, 
responsive to said first, second, third and 
fourth means, for communicating between 30 
a selected one of said sUck-frame-means in 
a first ring stack-segment being associated 
with one ring number, and a selected other 
of said stack-frame-means in a second ring 
stack-segment associated with another ring 35 
number. 

BARON & WARREN, 
16, Kensington Square, 
London, W8 5HL. 
Chartered Patent Agents. 
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